Showing results for 
Search instead for 
Did you mean: 

Waves of Scanning Attacks? How do they coordinate these?

Peter Roach
Level 1
Level 1

Hi - I have an ASA 5510 acting as our Front End device and I recently tightened the Threat-Detection settings to shun hosts detected as scanning attack devices.  Normally I am seeing Scanning Attack counts < 10-15.  However I am seeing a Scanning Attack storms from a wide variety of IP addresses several times each week.  I was able to capture screenshots (attached) of ASDM graphs of one of these scanning attack storms.  I have also included a listing our devices Threat-Detection settings and statistics (below).

I'm wondering how these Scanning Attack storms are coordinated?  When these attacks occur, I am seeing the 733101 events listing IP addresses for a very diverse mix of addresses.  Moreover, does anyone know of a better strategy I could use to protect our enterprise?  I'm wondering if there is a cost effective way to standup a honey pot or something?  Also, I have 4 additional static public IP addresses I'm not using.

When we see these spikes in scanning attacks, users complain that WWW traffic bogs down or pages start timing out.  Currently we are using a Comcast Business data line setup with speeds of 27 MBPs down and 7 MBPs up.  I'm working on upgrading this to 75/15 in the near future.

Thanks - Peter

ASA Details

AMASA5510# sh threat-detection rate

                          Average(eps)    Current(eps) Trigger      Total events

  10-min ACL  drop:                  0               1       0               439

  1-hour ACL  drop:                  1               1       0              3905

  10-min SYN attck:                  0               1       0               287

  1-hour SYN attck:                  0               0       0              1696

  10-min  Scanning:                  2               1   23757              1377

  1-hour  Scanning:                  3               2   53350             11577

  10-min Bad  pkts:                  0               0       0                95

  1-hour Bad  pkts:                  0               0       0              2752

  10-min  Firewall:                  1               2       0              1094

  1-hour  Firewall:                  2               2       0              9885

  10-min DoS attck:                  0               0       0               560

  1-hour DoS attck:                  0               1       0              3228

  10-min Interface:                  2               5       0              1239

  1-hour Interface:                  3               2       0             11309

AMASA5510# sh runn threat-detection

threat-detection rate scanning-threat rate-interval 600 average-rate 0 burst-rate 0

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port number-of-rate 2

threat-detection statistics protocol number-of-rate 2

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200


1 Reply 1

Anim Saxena
Level 1
Level 1

Hi Peter,

Simultaneous scanning attacks can be achived when the attack is launched with a botnet. At that moment "n" number of systems are launching attack without their knowledge.


Anim Saxena

Community Manager,

*Rate helpful post*

Review Cisco Networking for a $25 gift card