Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
982
Views
4
Helpful
4
Replies

Block host when it starts multiple sessions within a predefined time frame

Rutger Luuk Dost
Level 1
Level 1

‎07-24-2016 07:32 AM - edited ‎03-10-2019 06:39 AM

Is it possible with the asa5516 to automatically deny a host if it starts multiple sessions to a specific destination IP and specific destination port in a predefined time frame?

An example:

When a host sends 10 tcp packets with the syn flag to a specific destination on let's say port 3389 within 30 seconds, block the source IP address in the ASA.

This should migitate failed login attempts within our network.

Labels:
0 Helpful
4 Replies 4

Rutger Luuk Dost
Level 1
Level 1

‎07-26-2016 02:14 PM

The feature "Preventing SYN Attack Prevention" which is found under Network Analysis Policy -> Settings -> Rate-Bassed Attack Prevention in FirePOWER Management Center 6.0.1 seems exactly what I'm looking for at first hand. Unfortunatly it's not always doing what the following article is saying:

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Detecting_Specific_Threats.html.

It should block only the malicious Source IP addresses, but it's blocking all Source IP addresses when the treshold is reached multiple time simultaneously.

I used the following test set-up:

  • One client Computer
  • One Windows Server 

The client computer was used to login with wrong credentials on the Windows Server and when it reached the treshold and couldn't establish a connection anymore I switched the IP address of the client. Sometimes I could establish a connection (like it should) and sometimes when I had 2 or 3 IP addresses locked out because of reaching the treshold, the FirePOWER module was blocking all source IP addresses.

Cisco, can you plse explain to me why it's blocking all Source IP addresses? 

0 Helpful

Rutger Luuk Dost
Level 1
Level 1
In response to Rutger Luuk Dost

‎09-17-2016 01:18 PM

Ok, the problem with the SYN Attack Prevention seems to be a bug in the Rate-Based attack preprocessor. They have created a bug ticket to fix this issue:

https://tools.cisco.com/bugsearch/bug/CSCvb36855

Kfir Mesika
Level 1
Level 1

‎01-18-2017 12:22 PM

Any update about this problem.

I want to enable this feature and rate-based For simultaneous connection, but I am not sure how to configure it correctly.

I enabled rate-based for sumultaneous connection for 200 connectios for destination ip address - without the drop option.

In intrusion events I cas see alot of events GID:135 .

Traffic that matched access control rule with intrusion policy with drop, droped one IP because of this signature while in the NAP policy I did not check the drop check box.

What is happening?!?!

0 Helpful

Rutger Luuk Dost
Level 1
Level 1
In response to Kfir Mesika

‎02-11-2017 11:51 AM

Hi Kfir, are you sure the preprocessor with GID:135 was responsible for the blocking? Was it not some other Intrustion Rule which blocked it? 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card