02-05-2011 11:43 PM - edited 03-11-2019 12:45 PM
The firewall dashboard has a window at the right lower portion of ASDM and it displays Top 10 protected servers under SYN attack. Refer to the attached picture.
In this scenario the server IP 82.214.154.223 seems to be getting SYN attacks from one of my internal network PC. This server 82.214.154.223 does not belong to us, a whois query tells me that the IP originates from Poland with no hostname address.
I should have been seeing attacks only for servers belonging to my network right? Like an attack from Outside public IP towards my Server public IP, or is it that this feature provides two way statistics where it also displays attack originating from my lan towards outside world. From what I see, I feel it displays two way attacks. Correct me if I am wrong.
Regards
Solved! Go to Solution.
02-06-2011 02:33 AM
Yes, it is protecting both directions of the traffic passing through the ASA, inbound and outbound by default.
It looks like your internal host is attacking the 82.214.154.223 host, or it might be some software that is trying to reach 82.214.154.223, however, this host is not responding. Might be peer to peer file sharing or other similar sort of application.
There are different types and features of threat detection, and here is more information for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_threat.html
Hope that helps.
02-06-2011 02:33 AM
Yes, it is protecting both directions of the traffic passing through the ASA, inbound and outbound by default.
It looks like your internal host is attacking the 82.214.154.223 host, or it might be some software that is trying to reach 82.214.154.223, however, this host is not responding. Might be peer to peer file sharing or other similar sort of application.
There are different types and features of threat detection, and here is more information for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_threat.html
Hope that helps.
06-03-2013 04:58 AM
Hi,
below is the output of the # sh threat-detection rate command. can anyone explain me the vulnerabilities and risks by looking at the figures below. thanks
Average(eps) Current(eps) Trigger Total events
10-min ACL drop: 1 0 0 672
1-hour ACL drop: 1 0 0 4654
10-min SYN attck: 0 0 0 386
1-hour SYN attck: 0 0 0 3428
10-min Scanning: 2 1 55503 1248
1-hour Scanning: 2 2 18455 9177
10-min Bad pkts: 0 0 0 184
1-hour Bad pkts: 0 0 0 1089
10-min Firewall: 1 0 0 862
1-hour Firewall: 1 1 0 5749
10-min DoS attck: 0 0 0 6
1-hour DoS attck: 0 0 0 6
10-min Interface: 1 0 0 1034
1-hour Interface: 1 1 0 6616
regards,
AAMIR
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide