cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1786
Views
0
Helpful
3
Replies

Block initiator IP for X seconds after Y connections on TCP 3389 within Z seconds

tonetl
Level 1
Level 1

This will hopefully be a very easy question for someone who normally works within the FirePower Management Center.  We currently have a couple of servers opened up to the outside world for RDP connections by our employees; I know this isn't a good practice and we'll be setting up VPN soon.  However, in the meantime, we are seeing lots of traffic from random sources trying to connect using random usernames (big surprise).  What I was hoping to accomplish was to configure FirePower to block any sources that try to connect to the specific servers Y times within Z seconds (5 times within 30 seconds?).  Ideally, it would be a temporary block, but a permament add to a blacklist would be acceptable if someone could explain how to view the blacklist to remove any false-positives.  I have almost zero experience with FirePower or with managing Cisco products via command line, so I was hoping someone could walk me through where and how to accomplish the tasks needed via the GUI.  If this isn't something realistic, just let me know.  I'm comfortable with the Cisco ASDM software and regularly use it to create static rules affecting firewall traffic.  In fact, I've been adding most of the "attacker" IP addresses to a rule in ASDM to block their traffic as I see heavy traffic hitting.  If the request for an automatic rule isn't realistic I'll just continue to monitor the traffic hitting the servers and manually add IPs to the block rule in Cisco ASDM until we can get a VPN configured.  I look forward to and greatly appreciate any assistance or advice anyone could possibly provide for this situation.  Thanks!

1 Accepted Solution

Accepted Solutions

Rahul Govindan
VIP Alumni
VIP Alumni

This should be possible configuring a Rate Based Attack Policy in your Network Analysis Policy. This way you can create a rule to see number of TCP syn packets coming to your server ip address per second and use that to identity this malicious traffic. This is not enabled by default in the Base Policy and can be added in a layer on top of the Base.

Here are the steps that you can use to configure the same in Firepower:

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/Detecting_Specific_Threats.html#ID-2236-00000330

You might have to do some trial and error to make sure that the Firepower does not detect False Positives.

View solution in original post

3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

This should be possible configuring a Rate Based Attack Policy in your Network Analysis Policy. This way you can create a rule to see number of TCP syn packets coming to your server ip address per second and use that to identity this malicious traffic. This is not enabled by default in the Base Policy and can be added in a layer on top of the Base.

Here are the steps that you can use to configure the same in Firepower:

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/Detecting_Specific_Threats.html#ID-2236-00000330

You might have to do some trial and error to make sure that the Firepower does not detect False Positives.

That's the route I was heading towards inside the intrusion detection rules section before I made my post for help.  I was trying to add a dynamic state to the "APP-DETECT remote desktop protocol attempted administrator connection request" rule and also the "SERVER-OTHER Remote Desktop Protocol brute force attempt" rule but neither seemed to be doing anything.  It was likely user error and I didn't feel like I knew what to do so I came here for help.  I'll read through the documentation you linked and hopefully make some progress from that.

I know it's been well over a year, but I wanted to follow up to thank you and document this for anyone else experiencing a similar issue.  Within our FirePower management console, I ended up following along with the link that Rahul provided to create a SYN Attack Prevention rule within Rate-Based Attack Prevention section.  The rule tracks based on destination rather than source and basically says if anyone tries to go to the IP address of our specific server X times within Y seconds, drop their packets for 3600 seconds.  Creating that rule basically thwarts any bots trying to dictionary attack our admin account.  

Review Cisco Networking for a $25 gift card