cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
485
Views
0
Helpful
2
Replies

Port scans (attacks?) on Cisco ASA slowing down internet

mvelatln
Level 1
Level 1

Hello,

I cannot seem to find a topic for this and perhaps I'm using the wrong searches; so I'm apologizing ahead of time if this is somehow a duplicate discussion.

 

I support a location that has Cisco ASA in place and periodically their internet bandwidth drops tremendously, to the point that the internet is not usable.  I monitor their router speeds for traffic in and out and during these times bandwidth usage is normal.

 

What I found that happens is that there are many port scans happening at that time and it repeatedly exceeds the port scan limit.  It seems that the ASA see it and is doing its job, but it happens so much that I think the ASA is getting overburdened by responding to continuous scans from so many sources that it is requiring most of the resources it has.  So effectively, their "internet is down".

 

I'm trying to find out if there is something extra I need to put into place.  Maybe the basic security is not configured properly or I need to adjust rules.  Perhaps add something new.  I do not have Firepower or anything extra in play here.  This is a Cisco ASA 5512-X running software version 9.6(1)

 

Mike

2 Replies 2

Florin Barhala
Level 6
Level 6
What tool/method did you use to see the traffic scan?
Can you be more specific about the type of attack? How much time is this usually taking?
What's the average no of connections, respectively what do you see during the attack?

What I would do right of the bat: call/contact ISP and tell him about your issue. Maybe they're willing to help and mitigate the attack (if the case), without you adding extra security devices.

Otherwise you'll have to bring reinforcements.

Thank you for the questions.


As a side bar to the current location at hand we did have a location get hit daily around roughly the same time for the same amount of time.  During that time frame the internet was nearly unusable.

 

I did also connect with the ISP and they really didn't suggest anything ground breaking because it wasn't a bandwidth or DDoS issue.

 

The scans showed up in the Cisco log when set to "Warnings".  There were over 700 unique IP addresses doing port scans on their ASA.  From what I know the basic scan limit is there and it drops them but it still hits the box and has to respond to the repeated requests from those IP addresses.

 

Without putting something on another device down the line towards the ISP I'm not sure what to do in terms of the ASA.

 

My log line for the scans look like this:
[ Scanning] drop rate-1 exceeded. Current burst rate is 1 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4627
 
Thanks,

Mike

Review Cisco Networking for a $25 gift card