Hi - I have an ASA 5510 acting as our Front End device and I recently tightened the Threat-Detection settings to shun hosts detected as scanning attack devices. Normally I am seeing Scanning Attack counts < 10-15. However I am seeing a Scanning Attack storms from a wide variety of IP addresses several times each week. I was able to capture screenshots (attached) of ASDM graphs of one of these scanning attack storms. I have also included a listing our devices Threat-Detection settings and statistics (below).
I'm wondering how these Scanning Attack storms are coordinated? When these attacks occur, I am seeing the 733101 events listing IP addresses for a very diverse mix of addresses. Moreover, does anyone know of a better strategy I could use to protect our enterprise? I'm wondering if there is a cost effective way to standup a honey pot or something? Also, I have 4 additional static public IP addresses I'm not using.
When we see these spikes in scanning attacks, users complain that WWW traffic bogs down or pages start timing out. Currently we are using a Comcast Business data line setup with speeds of 27 MBPs down and 7 MBPs up. I'm working on upgrading this to 75/15 in the near future.
Thanks - Peter
AMASA5510# sh threat-detection rate
Average(eps) Current(eps) Trigger Total events
10-min ACL drop: 0 1 0 439
1-hour ACL drop: 1 1 0 3905
10-min SYN attck: 0 1 0 287
1-hour SYN attck: 0 0 0 1696
10-min Scanning: 2 1 23757 1377
1-hour Scanning: 3 2 53350 11577
10-min Bad pkts: 0 0 0 95
1-hour Bad pkts: 0 0 0 2752
10-min Firewall: 1 2 0 1094
1-hour Firewall: 2 2 0 9885
10-min DoS attck: 0 0 0 560
1-hour DoS attck: 0 1 0 3228
10-min Interface: 2 5 0 1239
1-hour Interface: 3 2 0 11309
AMASA5510# sh runn threat-detection
threat-detection rate scanning-threat rate-interval 600 average-rate 0 burst-rate 0
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection statistics host
threat-detection statistics port number-of-rate 2
threat-detection statistics protocol number-of-rate 2
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
Simultaneous scanning attacks can be achived when the attack is launched with a botnet. At that moment "n" number of systems are launching attack without their knowledge.
*Rate helpful post*