Cisco ASA 5506-X Configuration Manual page 327
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Chapter 15
Threat Detection
Scanning Threat Detection
A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by
scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The
scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection
that is based on traffic signatures, ASA threat detection scanning maintains an extensive database that
contains host statistics that can be analyzed for scanning activity.
The host database tracks suspicious activity such as connections with no return activity, access of closed
service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.
If the scanning threat rate is exceeded, then the ASA sends a syslog message (733101), and optionally
shuns the attacker. The ASA tracks two types of rates: the average event rate over an interval, and the
burst event rate over a shorter burst interval. The burst event rate is 1/30th of the average rate interval or
10 seconds, whichever is higher. For each event detected that is considered to be part of a scanning
attack, the ASA checks the average and burst rate limits. If either rate is exceeded for traffic sent from
a host, then that host is considered to be an attacker. If either rate is exceeded for traffic received by a
host, then that host is considered to be a target.
The following table lists the default rate limits for scanning threat detection.
Table 15-1
Average Rate
5 drops/sec over the last 600 seconds.
5 drops/sec over the last 3600 seconds.
The scanning threat detection feature can affect the ASA performance and memory significantly while
Caution
it creates and gathers host- and subnet-based data structure and information.
Guidelines for Threat Detection
Security Context Guidelines
Except for advanced threat statistics, threat detection is supported in single mode only. In Multiple mode,
TCP Intercept statistics are the only statistic supported.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
Types of Traffic Monitored
•
•
Default Rate Limits for Scanning Threat Detection
Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection.
Traffic that is denied by an ACL does not trigger scanning threat detection; only traffic that is
allowed through the ASA and that creates a flow is affected by scanning threat detection.
Guidelines for Threat Detection
Burst Rate
10 drops/sec over the last 20 second period.
10 drops/sec over the last 120 second period.
Cisco ASA Series Firewall CLI Configuration Guide
15-3
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
