Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6295
Views
0
Helpful
5
Replies

Cisco Asa Scanning attack

emilioj.romero
Level 1
Level 1

‎07-19-2011 02:00 PM - edited ‎03-11-2019 02:00 PM

How to see the ip address of the attack host?

Show the logging

Jul 19 09:43:15 10.239.67.1 Jul 19 2011 09:43:11: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 1 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3113

Jul 19 09:43:15 10.239.67.1 Jul 19 2011 09:43:15: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 21589

Jul 19 09:43:15 10.239.67.1 Jul 19 2011 09:43:11: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 1 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3113

Jul 19 09:43:15 10.239.67.1 Jul 19 2011 09:43:15: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 21589

Regards

Labels:
0 Helpful
5 Replies 5

Parminder Sian
Level 1
Level 1

‎07-27-2011 03:20 AM

Hi Emilio,

This can be fixed by using threat detection feature on ASA. Here's a link for your help:-

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml#sol6

Note:  If you do not want the drop rate exceed warning to appear, you can disable it by running the

no threat-detection basic-threat command.

Hope this helps,

Sian

0 Helpful

tranquocphu
Level 1
Level 1
In response to Parminder Sian

‎07-27-2011 07:57 AM

Hi Parminder

How can I shun  a host or a network?  My ASA is under scanning attack now.  Thanks.

0 Helpful

lcaruso
Level 6
Level 6
In response to tranquocphu

‎07-27-2011 08:14 AM

Just use the shun command

ciscoasa# shun ?

  Hostname or A.B.C.D  Specify source IP address of a mischievous host

0 Helpful

tranquocphu
Level 1
Level 1
In response to lcaruso

‎07-27-2011 08:29 AM

Hi lcaruso

I use the shun command shun x.x.x.x  x.x.x.x source port (need to specify a range of ports or shun all source ports)   80 0.

How can I shun all or a range of ports of the source port?  Source ports are showing dynamically on ASA screen.  Thanks.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to tranquocphu

‎08-10-2011 02:04 PM

Hi Peter,

I am not sure i dunderstand your requirement well enough to be answering this. Are you looking at shunning a range of ports for a particular IP address on the ASA?

Regards,

Prapanch

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card