Solved: Threat Detection - Cisco ASA

Luke Oxley · ‎09-19-2016

Afternoon,

I am trying to understand how the threat detection feature shuns attackers. From my understanding, taking in to consideration the line of configuration below, if a host were to send 45 SYNs in 1 second then it would be logged as a threat and as a result the host shunned - thus denying all further communication, regardless of whether it is legitimate or not.

threat-detection rate syn-attack rate-interval 600 average-rate 30 burst-rate 45

Taking this example in to consideration, I have a few questions.

Is this shun entry stored in some kind of shun table?
In what order is the packet processed upon arrival? Is it checked against existing shuns before it hits ACL, NAT, and so on?
Does this shun entry have a timeout or lifetime, where after a certain period of time the shun is revoked?
Are shuns cleared with a reload, or do they persist until some means of manual clearing?
Disregarding all the above questions - do shuns just exist for the single SYN that hits the burst-rate, or will they apply to all further communication attempted from that source address and port?

Thank you in advance for your help.

Regards,

Luke

Please rate helpful posts and mark correct answers.

shivdube · ‎10-09-2016

Hi Luke,

1- yes there is a shun table.

Use the show threat-detection shun command in order to view a full list of attackers that have been shunned by Threat Detection specifically. Use the show shuncommand in order to view the full list of all IPs that are actively being shunned by the ASA (including from sources other than Threat Detection).

Ans 2- Yes packet is firstly checked for Shuns.

ans3,4 and 5-:- Answer is below

The shun command lets you block connections from an attacking host. All future connections from the source IP address are dropped and logged until the blocking function is removed manually or by the Cisco IPS sensor. The blocking function of the shun command is applied whether or not a connection with the specified host address is currently active.

If you specify the destination address, source and destination ports, and the protocol, then you drop the matching connection as well as placing a shun on all future connections from the source IP address; all future connections are shunned, not just those that match these specific connection parameters.

You can only have one shun command per source IP address.

Because the shun command is used to block attacks dynamically, it is not displayed in the ASA configuration.

Whenever an interface configuration is removed, all shuns that are attached to that interface are also removed. If you add a new interface or replace the same interface (using the same name), then you must add that interface to the IPS sensor if you want the IPS sensor to monitor that interface.

Dubey,Shivam

View solution in original post

Pulkit Saxena · ‎10-09-2016

Luke,

Please review this document and if still you have doubt, let me know :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html

-

Pulkit

Luke Oxley · ‎10-10-2016

pusaxena and shivdube,

Thank you both very much for your help.

Kind regards,

Luke Oxely

Please rate helpful posts and mark correct answers.

shivdube · ‎10-09-2016

Hi Luke,

1- yes there is a shun table.

Use the show threat-detection shun command in order to view a full list of attackers that have been shunned by Threat Detection specifically. Use the show shuncommand in order to view the full list of all IPs that are actively being shunned by the ASA (including from sources other than Threat Detection).

Ans 2- Yes packet is firstly checked for Shuns.

ans3,4 and 5-:- Answer is below

The shun command lets you block connections from an attacking host. All future connections from the source IP address are dropped and logged until the blocking function is removed manually or by the Cisco IPS sensor. The blocking function of the shun command is applied whether or not a connection with the specified host address is currently active.

If you specify the destination address, source and destination ports, and the protocol, then you drop the matching connection as well as placing a shun on all future connections from the source IP address; all future connections are shunned, not just those that match these specific connection parameters.

You can only have one shun command per source IP address.

Because the shun command is used to block attacks dynamically, it is not displayed in the ASA configuration.

Whenever an interface configuration is removed, all shuns that are attached to that interface are also removed. If you add a new interface or replace the same interface (using the same name), then you must add that interface to the IPS sensor if you want the IPS sensor to monitor that interface.

Dubey,Shivam

Threat Detection - Cisco ASA

Afternoon,

Taking this example in to consideration, I have a few questions.

Is this shun entry stored in some kind of shun table?

Does this shun entry have a timeout or lifetime, where after a certain period of time the shun is revoked?

Are shuns cleared with a reload, or do they persist until some means of manual clearing?

Disregarding all the above questions - do shuns just exist for the single SYN that hits the burst-rate, or will they apply to all further communication attempted from that source address and port?

Thank you in advance for your help.

Regards,

Luke

pusaxena and shivdube,

Thank you both very much for your help.

Kind regards,

Luke Oxely

Please rate helpful posts and mark correct answers.