Cisco ASA 5505 Configuration Manual page 1103

Chapter 51 Configuring Threat Detection
•
•
Information About Scanning Threat Detection
A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by
scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The
scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection
that is based on traffic signatures, the adaptive security appliance scanning threat detection feature
maintains an extensive database that contains host statistics that can be analyzed for scanning activity.
The host database tracks suspicious activity such as connections with no return activity, access of closed
service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.
If the scanning threat rate is exceeded, then the adaptive security appliance sends a syslog message
(733101), and optionally shuns the attacker. The adaptive security appliance tracks two types of rates:
the average event rate over an interval, and the burst event rate over a shorter burst interval. The burst
event rate is 1/30th of the average rate interval or 10 seconds, whichever is higher. For each event
detected that is considered to be part of a scanning attack, the adaptive security appliance checks the
average and burst rate limits. If either rate is exceeded for traffic sent from a host, then that host is
considered to be an attacker. If either rate is exceeded for traffic received by a host, then that host is
considered to be a target.
Caution The scanning threat detection feature can affect the adaptive security appliance performance and
memory significantly while it creates and gathers host- and subnet-based data structure and information.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature:
Security Context Guidelines
Supported in single mode only. Multiple mode is not supported.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
Types of Traffic Monitored
•
•
OL-20339-01
Feature History for Scanning Threat Detection, page 51-11
Feature History for Scanning Threat Detection, page 51-11
Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection.
Traffic that is denied by an access list does not trigger scanning threat detection; only traffic that is
allowed through the adaptive security appliance and that creates a flow is affected by scanning threat
detection.
Configuring Scanning Threat Detection
Cisco ASA 5500 Series Configuration Guide using ASDM
51-9