static nat statement allowed IPS to miss a potential attack?

misscat123 · ‎12-13-2013

Hi,

I have a question about static nat statement and the IPS module. Customer says that there was a brute force attack against a server on port 3389 RDP.

The IPS did not report any attack in progress, nor does it show in history there was an attack.

I think because this statement was in the router: ip nat inside source static tcp x.x.x.x 3389 (external address x.x.x.x) 3389 extendable

that the IPS did not see any problem, and therefore the traffic was not classified as rogue.

Can anyone confirm this is why IPS did not alert on the traffic, or add your thoughts?

Every 2 minutes someone was trying to login to the server from the outside. Server logs alerted customer there was a problem.

Customer removed the statement from the router, and attack ceased.

we have

internet->3925 router->asa512 w/IPS module->inside lan

thank you

Karsten Iwen · ‎12-19-2013

The reason that the attack ceased when you remove the NAT is probably due to that no external access is possible any more without that NAT-statement.

The reason that you missed the attack on the IPS has two reasons:

1) To my knowledge there is no signature for failed logins to an RDP-service. So the IPS can't act on it.

2) If there had been a signature, the thresholds had to be quite tight for an attack that only happens every two minutes. That leads to higher false-positive rate or missed attacks if the thresholds are set higher.

Here it seems that your security is working as you have a second soource of input (your log-files).

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

misscat123 · ‎12-24-2013

Thanks for your answer. that makes sense to me.