Scanning problem

Stephane Gros · ‎11-26-2012

Hello,

I have a remote site with 5 peoples with ASA 5505 just behind the ISP router.

I keep observes message like this in my syslog servers.

Nov 26 09:42:21 Nov-******** 26 2012 09:42:21: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 4 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4344

Nov 26 09:42:41 Nov-******** 26 2012 09:42:41: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 3 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4371

Nov 26 09:43:01 Nov-******** 26 2012 09:43:01: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 4 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4359

Nov 26 09:43:21 Nov-******** 26 2012 09:43:21: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 3 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4355

Nov 26 09:43:41 Nov-******** 26 2012 09:43:41: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 3 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4372

Nov 26 09:43:41 Nov-******** 26 2012 09:43:41: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 7 per second, max configured rate is 4; Cumulative total count is 26008

Nov 26 09:44:01 Nov-******** 26 2012 09:44:01: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 4 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4311

Nov 26 09:44:21 Nov-******** 26 2012 09:44:21: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 3 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4312

Nov 26 09:44:41 Nov-******** 26 2012 09:44:41: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 4 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4282

My conf for the threat part is based on default config for "threat detection" :

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

I'm in versions:

-ASA Version 8.4(4)1

-asdm-649-103.bin

But I've configured some service policy to have compression with internal equipment between this site and the datacenter, and to allow the user to ping and ftp everywhere:

tcp-map MY_tcpmap

queue-limit 20 timeout 4

synack-data allow

invalid-ack allow

seq-past-window allow

tcp-options range 26 26 allow

tcp-options range 28 28 allow

no ttl-evasion-protection

urgent-flag allow

!

access-list inside-mpc_1 extended permit ip object-group INTERN_SUBS object-group REMOTE_VPN_SUBS

class-map ipe-compress-class

match access-list inside-mpc_1

access-list inside_mpc extended permit ip object INTERN_SUB1 object INTERN_SUB2

class-map inside-class

match access-list inside_mpc

policy-map inside-policy

class inside-class

set connection advanced-options tcp-state-bypass

class ipe-compress-class

set connection random-sequence-number disable

set connection advanced-options MY_tcpmap

service-policy inside-policy interface inside

class-map icmp-class

match default-inspection-traffic

class-map ftp-class

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map icmp_policy

class icmp-class

inspect icmp

class ftp-class

inspect ftp

service-policy icmp_policy interface outside

When I'm looking with ADSM the debugging view, I see a lot of broadcast issued by one of the computer. I think the problematic software is Dell Stage and I'm working with the user to remove it.

But even if this problematic user is not at office, there is that kind of message.
Can someone help me to identify the bad traffic ?

Please tell me if you need more informations.

Best regards

Stephane Gros · ‎12-03-2012

Hi everyone,
I still observe these message in my syslog permanently.

Dec 3 04:34:50 Dec-****** 03 2012 04:34:50: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 8 per second, max configured rate is 4; Cumulative total count is 30079

Dec 3 04:35:10 Dec-****** 03 2012 04:35:10: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 4 per second, max configured rate is 10; Current average rate is 8 per second, max configured rate is 5; Cumulative total count is 4945

Dec 3 04:35:30 Dec-****** 03 2012 04:35:30: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 3 per second, max configured rate is 10; Current average rate is 8 per second, max configured rate is 5; Cumulative total count is 4929

Dec 3 04:35:50 Dec-****** 03 2012 04:35:50: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 4 per second, max configured rate is 10; Current average rate is 8 per second, max configured rate is 5; Cumulative total count is 4945

Dec 3 04:36:10 Dec-****** 03 2012 04:36:10: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 4 per second, max configured rate is 10; Current average rate is 8 per second, max configured rate is 5; Cumulative total count is 4954

Dec 3 04:36:31 Dec-****** 03 2012 04:36:31: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 3 per second, max configured rate is 10; Current average rate is 8 per second, max configured rate is 5; Cumulative total count is 4960

...
It's very annonying...

The only thing I can add is:

****# sh asp drop

Frame drop:

NAT-T keepalive message (natt-keepalive) 86325

IPSEC tunnel is down (ipsec-tun-down) 1456

Punt no memory (punt-no-mem) 118

Invalid encapsulation (invalid-encap) 379

Invalid IP header (invalid-ip-header) 6

Invalid IP length (invalid-ip-length) 2

Reverse-path verify failed (rpf-violated) 1

Flow is denied by configured rule (acl-drop) 1501067

Invalid SPI (np-sp-invalid-spi) 10

First TCP packet not SYN (tcp-not-syn) 13218

TCP data send after FIN (tcp-data-past-fin) 5

TCP failed 3 way handshake (tcp-3whs-failed) 15380

TCP RST/FIN out of order (tcp-rstfin-ooo) 67556

TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 6

TCP SYNACK on established conn (tcp-synack-ooo) 11

TCP packet SEQ past window (tcp-seq-past-win) 9154

TCP invalid ACK (tcp-invalid-ack) 2

TCP Out-of-Order packet buffer full (tcp-buffer-full) 35094

TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 155

TCP RST/SYN in window (tcp-rst-syn-in-win) 20

TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 2258

TCP packet failed PAWS test (tcp-paws-fail) 7

Slowpath security checks failed (sp-security-failed) 1769202

ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 5

FP L2 rule drop (l2_acl) 53

Dropped pending packets in a closed socket (np-socket-closed) 16945

Last clearing: 04:24:15 EST Nov 13 2012 by enable_15

Flow drop:

Need to start IKE negotiation (need-ike) 14146

NAT reverse path failed (nat-rpf-failed) 56

Inspection failure (inspect-fail) 128

SSL bad record detected (ssl-bad-record-detect) 194

SSL handshake failed (ssl-handshake-failed) 6

SSL received close alert (ssl-received-close-alert) 7

Last clearing: 04:24:15 EST Nov 13 2012 by enable_15

Can anyone help me to debug this ?

Best regards