Professional Documents
Culture Documents
Oursiteusescookiessomeareessentialtomakethesiteworkothershelpusimprovetheuserexperience.Byusingthesite,youconsenttotheuseof
thesecookies.Tolearnmoreaboutcookiesandhowyoucandisablethem,pleasereadourprivacystatement.
ASAThreatDetectionFunctionalityandConfiguration
DocumentID: 113685 Updated: Jul06,2015
Contents
Introduction
ThreatDetectionFunctionality
BasicThreatDetection(SystemLevelRates)
AdvancedThreatDetection(ObjectLevelStatisticsandTopN)
ScanningThreatDetection
Limitations
Configuration
BasicThreatDetection
AdvancedThreatDetection
ScanningThreatDetection
Performance
RecommendedActions
WhenaBasicDropRateisExceededand%ASA4733100isGenerated
WhenaScanningThreatisDetectedand%ASA4733101isLogged
WhenanAttackerisShunnedand%ASA4733102isLogged
When%ASA4733104and/or%ASA4733105isLogged
HowToManuallyTriggeraThreat
BasicThreatACLDrop,Firewall,andScanning
AdvancedThreatTCPIntercept
ScanningThreat
RelatedInformation
Introduction
ThisdocumentdescribesthefunctionalityandbasicconfigurationoftheThreatDetectionfeatureoftheCiscoAdaptiveSecurity
Appliance(ASA).ThreatDetectionprovidesfirewalladministratorswiththenecessarytoolstoidentify,understand,andstopattacks
beforetheyreachtheinternalnetworkinfrastructure.Inordertodoso,thefeaturereliesonanumberofdifferenttriggersandstatistics,
whichisdescribedinfurtherdetailinthesesections.
ThreatDetectioncanbeusedonanyASAfirewallthatrunsasoftwareversionof8.0(2)orlater.Althoughthreatdetectionisnota
substituteforadedicatedIDS/IPSsolution,itcanbeusedinenvironmentswhereanIPSisnotavailabletoprovideanaddedlayerof
protectiontothecorefunctionalityofASA.
ThreatDetectionFunctionality
Thethreatdetectionfeaturehasthreemaincomponents:
1. BasicThreatDetection
2. AdvancedThreatDetection
3. ScanningThreatDetection
Eachofthesecomponentsisdescribedindetailinthesesections.
BasicThreatDetection(SystemLevelRates)
BasicthreatdetectionisenabledbydefaultonallASAsrunning8.0(2)andlater.
BasicthreatdetectionmonitorstheratesatwhichpacketsaredroppedforvariousreasonsbytheASAasawhole.Thismeansthatthe
statisticsgeneratedbybasicthreatdetectiononlyapplytotheentireapplianceandaregenerallynotgranularenoughtoprovide
informationonthesourceorspecificnatureofthethreat.Instead,theASAmonitorsdroppedpacketsfortheseevents:
ACLDrop(acldrop)Packetsaredeniedbyaccesslists
http://www.cisco.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/113685asathreatdetection.html?referring_site=RE&po 1/7
9/30/2015 ASAThreatDetectionFunctionalityandConfigurationCisco
ACLDrop(acldrop)Packetsaredeniedbyaccesslists
BadPkts(badpacketdrop)Invalidpacketformats,whichincludesL3andL4headersthatdonotconformtoRFCstandards
ConnLimit(connlimitdrop)Packetsthatexceedaconfiguredorglobalconnectionlimit
DoSAttack(dosdrop)DenialofService(DoS)attacks
Firewall(fwdrop)Basicfirewallsecuritychecks
ICMPAttack(icmpdrop)SuspiciousICMPpackets
Inspect(inspectdrop)Denialbyapplicationinspection
Interface(interfacedrop)Packetsdroppedbyinterfacechecks
Scanning(scanningthreat)Network/hostscanningattacks
SYNAttack(synattack)Incompletesessionattacks,whichincludesTCPSYNattacksandunidirectionalUDPsessionsthathaveno
returndata
Eachoftheseeventshaveaspecificsetoftriggersthatareusedtoidentifythethreat.MosttriggersaretiedbacktospecificASPdrop
reasons,thoughcertainsyslogsandinspectionactionsarealsoconsidered.Sometriggersaremonitoredbymultiplethreatcategories.
Someofthemostcommontriggersareoutlinedinthistable,thoughitisnotanexhaustivelist:
BasicThreat Trigger(s)/ASPDropReason(s)
acldrop acldrop
badpacketdrop invalidtcphdrlength
invalidipheader
inspectdnspaktoolong
inspectdnsidnotmatched
connlimitdrop connlimit
dosdrop spsecurityfailed
fwdrop inspecticmpseqnumnotmatched
inspectdnspaktoolong
inspectdnsidnotmatched
spsecurityfailed
acldrop
icmpdrop inspecticmpseqnumnotmatched
inspectdrop Framedropstriggeredbyaninspectionengine
interfacedrop spsecurityfailed
noroute
scanningthreat tcp3whsfailed
tcpnotsyn
spsecurityfailed
acldrop
inspecticmpseqnumnotmatched
inspectdnspaktoolong
inspectdnsidnotmatched
synattack %ASA6302014syslogwithteardownreasonof"SYNTimeout"
Foreachevent,basicthreatdetectionmeasurestheratesthatthesedropsoccuroveraconfiguredperiodoftime.Thisperiodoftimeis
calledtheaveragerateinterval(ARI)andcanrangefrom600secondsto30days.IfthenumberofeventsthatoccurwithintheARI
exceedstheconfiguredratethresholds,theASAconsiderstheseeventsathreat.
Basicthreatdetectionhastwoconfigurablethresholdsforwhenitconsiderseventstobeathreat:theaveragerateandtheburstrate.
TheaveragerateissimplytheaveragenumberofdropspersecondwithinthetimeperiodoftheconfiguredARI.Forexample,ifthe
averageratethresholdforACLdropsisconfiguredfor400withanARIof600seconds,theASAcalculatestheaveragenumberof
packetsthatweredroppedbyACLsinthelast600seconds.Ifthisnumberturnsouttobegreaterthan400persecond,theASAlogsa
threat.
Likewise,theburstrateisverysimilarbutlooksatsmallerperiodsofsnapshotdata,calledtheburstrateinterval(BRI).TheBRIis
alwayssmallerthantheARI.Forexample,buildingonthepreviousexample,theARIforACLdropsisstill600secondsandnowhasa
burstrateof800.Withthesevalues,theASAcalculatestheaveragenumberofpacketsdroppedbyACLsinthelast20seconds,where
20secondsistheBRI.Ifthiscalculatedvalueexceeds800dropspersecond,athreatislogged.InordertodeterminewhatBRIisused,
theASAcalculatesthevalueof1/30thoftheARI.Therefore,intheexamplepreviouslyused,1/30thof600secondsis20seconds.
However,threatdetectionhasaminimumBRIof10seconds,soif1/30thoftheARIislessthan10,theASAstilluses10secondsas
theBRI.Also,itisimportanttonotethatthisbehaviorwasdifferentinversionspriorto8.2(1),whichusedavalueof1/60thoftheARI,
insteadof1/30th.TheminimumBRIof10secondsisthesameforallsoftwareversions.
Whenabasicthreatisdetected,theASAsimplygeneratessyslog%ASA4733100toalerttheadministratorthatapotentialthreathas
beenidentified.Theaverage,current,andtotalnumberofeventsforeachthreatcategorycanbeseenwiththeshowthreatdetection
ratecommand.Thetotalnumberofcumulativeeventsisthesumofthenumberofeventsseeninthelast30BRIsamples.
Basicthreatdetectiondoesnottakeanyactionsinordertostoptheoffendingtrafficorpreventfutureattacks.Inthissense,basicthreat
detectionispurelyinformationalandcanbeusedasamonitoringorreportingmechanism.
AdvancedThreatDetection(ObjectLevelStatisticsandTopN)
http://www.cisco.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/113685asathreatdetection.html?referring_site=RE&po 2/7
9/30/2015 ASAThreatDetectionFunctionalityandConfigurationCisco
AdvancedThreatDetection(ObjectLevelStatisticsandTopN)
UnlikeBasicThreatDetection,AdvancedThreatDetectioncanbeusedtotrackstatisticsformoregranularobjects.TheASAsupports
trackingstatisticsforhostIPs,ports,protocols,ACLs,andserversprotectedbyTCPintercept.AdvancedThreatDetectionisonly
enabledbydefaultforACLstatistics.
Forhost,port,andprotocolobjects,ThreatDetectionkeepstrackofthenumberofpackets,bytes,anddropsthatwerebothsentand
receivedbythatobjectwithinaspecifictimeperiod.ForACLs,ThreatDetectionkeepstrackofthetop10ACEs(bothpermitanddeny)
thatwerehitthemostwithinaspecifictimeperiod.
Thetimeperiodstrackedinallofthesecasesare20minutes,1hour,8hours,and24hours.Whilethetimeperiodsthemselvesarenot
configurable,thenumberofperiodsthataretrackedperobjectcanbeadjustedwiththe'numberofrate'keyword.SeetheConfiguration
sectionformoreinformation.Forexample,if'numberofrate'issetto2,youseeallstatisticsfor20minutes,1hourand8hours.if
'numberofrate'issetto1,youseeallstatisticsfor20minutes,1hour.Nomatterwhat,the20minuterateisalwaysdisplayed.
WhenTCPinterceptisenabled,ThreatDetectioncankeeptrackofthetop10serverswhichareconsideredtobeunderattackand
protectedbyTCPintercept.StatisticsforTCPinterceptaresimilartoBasicThreatDetectioninthesensethattheusercanconfigurethe
measuredrateintervalalongwithspecificaverage(ARI)andburst(BRI)rates.AdvancedThreatDetectionstatisticsforTCPinterceptare
onlyavailableinASA8.0(4)andlater.
AdvancedThreatDetectionstatisticsareviewedviatheshowthreatdetectionstatisticsandshowthreatdetectionstatisticstop
commands.Thisisalsothefeatureresponsibleforpopulatingthe"top"graphsonthefirewalldashboardofASDM.Theonlysyslogsthat
aregeneratedbyAdvancedThreatDetectionare%ASA4733104and%ASA4733105,whicharetriggeredwhentheaverageandburst
rates(respectively)areexceededforTCPinterceptstatistics.
LikeBasicThreatDetection,theAdvancedThreatDetectionispurelyinformational.Noactionsaretakentoblocktrafficbasedonthe
AdvancedThreatDetectionstatistics.
ScanningThreatDetection
ScanningThreatDetectionisusedinordertokeeptrackofsuspectedattackerswhocreateconnectionstoomanyhostsinasubnet,or
manyportsonahost/subnet.ScanningThreatDetectionisdisabledbydefault.
ScanningThreatDetectionbuildsontheconceptofBasicThreatDetection,whichalreadydefinesathreatcategoryforascanningattack.
Therefore,therateinterval,averagerate(ARI),andburstrate(BRI)settingsaresharedbetweenBasicandScanningThreatDetection.
Thedifferencebetweenthe2featuresisthatwhileBasicThreatDetectiononlyindicatesthattheaverageorburstratethresholdswere
crossed,ScanningThreatDetectionmaintainsadatabaseofattackerandtargetIPaddressesthatcanhelpprovidemorecontextaround
thehostsinvolvedinthescan.Additionally,onlytrafficthatisactuallyreceivedbythetargethost/subnetisconsideredbyScanning
ThreatDetection.BasicThreatDetectioncanstilltriggeraScanningthreatevenifthetrafficisdroppedbyanACL.
ScanningThreatDetectioncanoptionallyreacttoanattackbyshunningtheattackerIP.ThismakesScanningThreatDetectiontheonly
subsetoftheThreatDetectionfeaturethatcanactivelyaffectconnectionsthroughtheASA.
WhenScanningThreatDetectiondetectsanattack,%ASA4733101isloggedfortheattackerand/ortargetIPs.Ifthefeatureis
configuredtoshuntheattacker,%ASA4733102isloggedwhenScanningThreatDetectiongeneratesashun.%ASA4733103islogged
whentheshunisremoved.TheshowthreatdetectionscanningthreatcommandcanbeusedinordertoviewtheentireScanning
Threatdatabase.
Limitations
ThreatDetectionisonlyavailableinASA8.0(2)andlater.ItisnotsupportedontheASA1000Vplatform.
ThreatDetectionisonlysupportedinsinglecontextmode.
Onlythroughtheboxthreatsaredetected.TrafficsenttotheASAitselfisnotconsideredbyThreatDetection.
TCPconnectionattemptsthatareresetbythetargetedserverisnotcountedasaSYNattackorScanningthreat.
Configuration
BasicThreatDetection
BasicThreatDetectionisenabledwiththethreatdetectionbasicthreatcommand.
ciscoasa(config)#threatdetectionbasicthreat
Thedefaultratescanbeviewedwiththeshowrunallthreatdetectioncommand.
ciscoasa(config)#showrunallthreatdetection
threatdetectionratedosdroprateinterval600averagerate100burstrate400
threatdetectionratedosdroprateinterval3600averagerate80burstrate320
threatdetectionratebadpacketdroprateinterval600averagerate100burstrate400
threatdetectionratebadpacketdroprateinterval3600averagerate80burstrate320
threatdetectionrateacldroprateinterval600averagerate400burstrate800
threatdetectionrateacldroprateinterval3600averagerate320burstrate640
threatdetectionrateconnlimitdroprateinterval600averagerate100burstrate400
threatdetectionrateconnlimitdroprateinterval3600averagerate80burstrate320
threatdetectionrateicmpdroprateinterval600averagerate100burstrate400
threatdetectionrateicmpdroprateinterval3600averagerate80burstrate320
threatdetectionratescanningthreatrateinterval600averagerate5burstrate10
threatdetectionratescanningthreatrateinterval3600averagerate4burstrate8
threatdetectionratesynattackrateinterval600averagerate100burstrate200
threatdetectionratesynattackrateinterval3600averagerate80burstrate160
threatdetectionratefwdroprateinterval600averagerate400burstrate1600
threatdetectionratefwdroprateinterval3600averagerate320burstrate1280
threatdetectionrateinspectdroprateinterval600averagerate400burstrate1600
threatdetectionrateinspectdroprateinterval3600averagerate320burstrate1280
http://www.cisco.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/113685asathreatdetection.html?referring_site=RE&po 3/7
9/30/2015 ASAThreatDetectionFunctionalityandConfigurationCisco
threatdetectionrateinterfacedroprateinterval600averagerate2000burstrate8000
threatdetectionrateinterfacedroprateinterval3600averagerate1600burstrate6400
Inordertotunetheserateswithcustomvalues,simplyreconfigurethethreatdetectionratecommandfortheappropriatethreatcategory.
ciscoasa(config)#threatdetectionrateacldroprateinterval1200averagerate250burstrate550
Eachthreatcategorycanhaveamaximumof3differentratesdefined(withrateIDsofrate1,rate2,andrate3).TheparticularrateID
thatisexceededisreferencedinthe%ASA4733100syslog.
Inthepreviousexample,threatdetectioncreatessyslog733100onlywhenthenumberofACLdropsexceeds250drops/secondover
1200secondsor550drops/secondover40seconds.
AdvancedThreatDetection
UsethethreatdetectionstatisticscommandinordertoenableAdvancedThreatDetection.Ifnospecificfeaturekeywordisprovided,
thecommandenablestrackingforallstatistics.
ciscoasa(config)#threatdetectionstatistics?
configuremodecommands/options:
accesslistKeywordtospecifyaccessliststatistics
hostKeywordtospecifyIPstatistics
portKeywordtospecifyportstatistics
protocolKeywordtospecifyprotocolstatistics
tcpinterceptTracetcpinterceptstatistics
<cr>
Inordertoconfigurethenumberofrateintervalsthataretrackedforhost,port,protocol,orACLstatistics,usethenumberofrate
keyword.
ciscoasa(config)#threatdetectionstatisticshostnumberofrate2
ThenumberofratekeywordconfiguresThreatDetectiontotrackonlytheshortestnnumberofintervals.
InordertoenableTCPinterceptstatistics,usethethreatdetectionstatisticstcpinterceptcommand.
ciscoasa(config)#threatdetectionstatisticstcpintercept
InordertoconfigurecustomratesforTCPinterceptstatistics,usetherateinterval,averagerate,andburstratekeywords.
ciscoasa(config)#threatdetectionstatisticstcpinterceptrateinterval45
burstrate400averagerate100
ScanningThreatDetection
InordertoenableScanningThreatDetection,usethethreatdetectionscanningthreatcommand.
ciscoasa(config)#threatdetectionscanningthreat
Inordertoadjusttheratesforascanningthreat,usethesamethreatdetectionratecommandusedbyBasicThreatDetection.
ciscoasa(config)#threatdetectionratescanningthreatrateinterval1200averagerate250burstrate550
InordertoallowtheASAtoshunascanningattackerIP,addtheshunkeywordtothethreatdetectionscanningthreatcommand.
ciscoasa(config)#threatdetectionscanningthreatshun
ThisallowsScanningThreatDetectiontocreateaonehourshunfortheattacker.Inordertoadjustthedurationoftheshun,usethe
threatdetectionscanningthreatshundurationcommand.
ciscoasa(config)#threatdetectionscanningthreatshunduration1000
Insomecases,youmaystillwanttopreventtheASAfromshunningcertainIPs.Inordertodothis,createanexceptionwiththethreat
detectionscanningthreatshunexceptcommand.
ciscoasa(config)#threatdetectionscanningthreatshunexceptipaddress10.1.1.1255.255.255.255
ciscoasa(config)#threatdetectionscanningthreatshunexceptobjectgroupnoshun
Performance
BasicThreatDetectionhasverylittleperformanceimpactontheASA.AdvancedandScanningThreatDetectionaremuchmoreresource
intensivebecausetheyhavetokeeptrackofvariousstatisticsinmemory.OnlyScanningThreatDetectionwiththeshunfunction
enabledcanactivelyimpacttrafficthatotherwisewouldhavebeenallowed.
AstheASAsoftwareversionshaveprogressed,thememoryutilizationofThreatDetectionhasbeensignificantlyoptimized.However,
careshouldbetakentomonitorthememoryutilizationofASAbeforeandafterThreatDetectionisenabled.Insomecases,itmightbe
bettertoonlyenablecertainstatistics(forexample,hoststatistics)temporarilywhileactivelytroubleshootingaspecificissue.
ForamoredetailedviewofThreatDetection'smemoryusage,runtheshowmemoryappcachethreatdetection[detail]command.
RecommendedActions
ThesesectionsprovidesomegeneralrecommendationsforactionsthatcanbetakenwhenvariousThreatDetectionrelatedeventsoccur.
WhenaBasicDropRateisExceededand%ASA4733100isGenerated
http://www.cisco.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/113685asathreatdetection.html?referring_site=RE&po 4/7
9/30/2015 ASAThreatDetectionFunctionalityandConfigurationCisco
WhenaBasicDropRateisExceededand%ASA4733100isGenerated
Determinethespecificthreatcategorymentionedinthe%ASA4733100syslogandcorrelatethiswiththeoutputofshowthreat
detectionrate.Withthisinformation,checktheoutputofshowaspdropinordertodeterminethereasonswhytrafficisbeingdropped.
Foramoredetailedviewoftrafficthatisdroppedforaspecificreason,useanASPdropcapturewiththereasoninquestioninorderto
seeallofthepacketsthatarebeingdropped.Forexample,ifACLDropthreatsarebeinglogged,captureontheASPdropreasonofacl
drop:
ciscoasa#capturedroptypeaspdropacldrop
ciscoasa#showcapturedrop
1packetcaptured
1:18:03:00.20518910.10.10.10.60670>192.168.1.100.53:udp34Dropreason:
(acldrop)Flowisdeniedbyconfiguredrule
ThiscaptureshowsthatthepacketbeingdroppedisaUDP/53packetfrom10.10.10.10to192.168.1.100.
If%ASA4733100reportsaScanningthreat,itcanalsobehelpfultotemporarilyenableScanningThreatDetection.ThisallowstheASA
tokeeptrackofthesourceanddestinationIPsinvolvedintheattack.
SinceBasicThreatDetectionmostlymonitorstrafficwhichisalreadybeingdroppedbytheASP,nodirectactionisrequiredtostopa
potentialthreat.TheexceptionstothisareSYNAttacksandScanningthreats,whichinvolvetrafficpassingthroughtheASA.
IfthedropsseenintheASPdropcapturearelegitimateand/orexpectedforthenetworkenvironment,tunethebasicrateintervalstoa
moreappropriatevalue.
Ifthedropsshowillegitimatetraffic,actionsshouldbetakentoblockorratelimitthetrafficbeforeitreachestheASA.Thiscaninclude
ACLsandQoSonupstreamdevices.
ForSYNattacks,trafficcanbeblockedinanACLontheASA.TCPinterceptcouldalsobeconfiguredtoprotectthetargetedserver(s),
butthiscouldsimplyresultinaConnLimitthreatbeingloggedinstead.
ForScanningthreats,trafficcanalsobeblockedinanACLontheASA.ScanningThreatDetectionwiththeshunoptioncanbeenabled
toallowtheASAtoproactivelyblockallpacketsfromtheattackerforadefinedperiodoftime.
WhenaScanningThreatisDetectedand%ASA4733101isLogged
%ASA4733101shouldlisteitherthetargethost/subnetortheattackerIPaddress.Forthefulllistoftargetsandattackers,checkthe
outputofshowthreatdetectionscanningthreat.
PacketcapturesontheASAsinterfacesfacingtheattackerand/ortarget(s)canalsohelpclarifythenatureoftheattack.
Ifthedetectedscanisanotexpected,actionsshouldbetakentoblockorratelimitthetrafficbeforeitreachestheASA.Thiscaninclude
ACLsandQoSonupstreamdevices.AddingtheshunoptiontotheScanningThreatDetectionconfigcanalsoallowtheASAto
proactivelydropallpacketsfromtheattackerIPforadefinedperiodoftime.Asalastresort,thetrafficcanalsobeblockedmanuallyon
theASAviaanACLorTCPinterceptpolicy.
Ifthedetectedscanisafalsepositive,adjusttheScanningThreatrateintervalstoamoreappropriatevalueforthenetworkenvironment.
WhenanAttackerisShunnedand%ASA4733102isLogged
%ASA4733102liststheIPaddressoftheshunnedattacker.Usetheshowthreatdetectionshuncommandinordertoviewafulllistof
attackersthathavebeenshunnedbyThreatDetectionspecifically.UsetheshowshuncommandinordertoviewthefulllistofallIPs
thatareactivelybeingshunnedbytheASA(includingfromsourcesotherthanThreatDetection).
Iftheshunispartofalegitimateattack,nofurtheractionisrequired.However,itwouldbebeneficialtomanuallyblockthetrafficofthe
attackerasfarupstreamtowardthesourceaspossible.ThiscanbedoneviaACLsandQoS.Thisensuresthatintermediatedevicesdo
notneedtowasteresourcesprocessingillegitimatetraffic.
IftheScanningthreatthattriggeredtheshunwasafalsepositive,manuallyremovetheshunwiththeclearthreatdetectionshun
[IP_address]command.
When%ASA4733104and/or%ASA4733105isLogged
%ASA4733104and%ASA4733105liststhehosttargetedbytheattackthatiscurrentlybeingprotectedbyTCPintercept.Formore
detailsontheattackratesandprotectedservers,checktheoutputofshowthreatdetectionstatisticstoptcpintercept.
ciscoasa#showthreatdetectionstatisticstoptcpintercept
Top10protectedserversunderattack(sortedbyaveragerate)
Monitoringwindowsize:30minsSamplinginterval:30secs
1192.168.1.2:5000inside124995032249245Last:10.0.0.3(0secsago)
2192.168.1.3:5000inside1010608010.0.0.200(0secsago)
3192.168.1.4:5000inside2656010.0.0.200(59secsago)
4192.168.1.5:5000inside1556010.0.0.200(59secsago)
5192.168.1.6:5000inside1456010.0.0.200(59secsago)
6192.168.1.7:5000inside0356010.0.0.200(59secsago)
7192.168.1.8:5000inside0256010.0.0.200(59secsago)
8192.168.1.9:5000inside0156010.0.0.200(59secsago)
9192.168.1.10:5000inside0055010.0.0.200(2minsago)
10192.168.1.11:5000inside0055010.0.0.200(5minsago)
WhenAdvancedThreatDetectiondetectsanattackofthisnature,theASAisalreadyprotectingthetargetedserverviaTCPintercept.
Verifytheconfiguredconnectionlimitstoensuretheyprovideadequateprotectionforthenatureandrateoftheattack.Also,itwouldbe
beneficialtomanuallyblockthetrafficoftheattackerasfarupstreamtowardthesourceaspossible.ThiscanbedoneviaACLsand
http://www.cisco.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/113685asathreatdetection.html?referring_site=RE&po 5/7
9/30/2015 ASAThreatDetectionFunctionalityandConfigurationCisco
QoS.Thisensuresthatintermediatedevicesdonotneedtowasteresourcesprocessingillegitimatetraffic.
Ifthedetectedattackisafalsepositive,adjusttheratesforaTCPinterceptattacktoamoreappropriatevaluewiththethreatdetection
statisticstcpinterceptcommand.
HowToManuallyTriggeraThreat
Fortestingandtroubleshootingpurposes,itcanbehelpfultomanuallytriggervariousthreats.Thissectioncontainstipsfortriggeringa
fewcommonthreattypes.
BasicThreatACLDrop,Firewall,andScanning
InordertotriggeraparticularBasicThreat,refertothetableinthepreviousFunctionalitysection.ChooseaspecificASPdropreasonand
sendtrafficthroughtheASAthatwouldbedroppedbytheappropriateASPdropreason.
Forexample,ACLDrop,Firewall,andScanningthreatsallconsidertherateofpacketsbeingdroppedbyacldrop.Completethesesteps
inordertotriggerthesethreatssimultaneously:
1. CreateanACLontheoutsideinterfaceoftheASAthatexplicitlydropsallTCPpacketssenttoatargetserverontheinsideoftheASA
(10.11.11.11):
accesslistoutside_inextendedline1denytcpanyhost10.11.11.11
accesslistoutside_inextendedpermitipanyany
accessgroupoutside_inininterfaceoutside
2. FromanattackerontheoutsideoftheASA(10.10.10.10),usenmapinordertorunaTCPSYNscanagainsteveryportonthetarget
server:
nmapsST5p165535Pn10.11.11.11
Note:T5configuresnmaptorunthescanasfastaspossible.DependingontheresourcesoftheattackerPC,thisstillmaynot
befastenoughtotriggersomeofthedefaultrates.Ifthisisthecase,simplylowertheconfiguredratesforthethreatyouwant
tosee.SettingtheARIandBRIto0causesBasicThreatDetectiontoalwaystriggerthethreatregardlessoftherate.
3. NotethatBasicThreatsaredetectedforACLDrop,Firewall,andScanningthreats:
%ASA1733100:[Scanning]droprate1exceeded.Currentburstrateis19persecond,
maxconfiguredrateis10Currentaveragerateis9persecond,
maxconfiguredrateis5Cumulativetotalcountis5538
%ASA1733100:[ACLdrop]droprate1exceeded.Currentburstrateis19persecond,
maxconfiguredrateis0Currentaveragerateis2persecond,
maxconfiguredrateis0Cumulativetotalcountis1472
%ASA1733100:[Firewall]droprate1exceeded.Currentburstrateis18persecond,
maxconfiguredrateis0Currentaveragerateis2persecond,
maxconfiguredrateis0Cumulativetotalcountis1483
Note:Inthisexample,theACLdropandFirewallARIsandBRIshavebeensetto0sotheyalwaystriggerathreat.Thisiswhy
themaxconfiguredratesarelistedas0.
AdvancedThreatTCPIntercept
1. CreateanACLontheoutsideinterfacethatpermitsallTCPpacketssenttoatargetserverontheinsideoftheASA(10.11.11.11):
accesslistoutside_inextendedline1permittcpanyhost10.11.11.11
accessgroupoutside_inininterfaceoutside
2. Ifthetargetserverdoesnotactuallyexist,oritresetstheconnectionattemptsoftheattacker,configureafakeARPentryontheASA
toblackholetheattacktrafficouttheinsideinterface:
arpinside10.11.11.11dead.dead.dead
3. CreateasimpleTCPinterceptpolicyontheASA:
accesslisttcpextendedpermittcpanyany
classmaptcp
matchaccesslisttcp
policymapglobal_policy
classtcp
setconnectionconnmax2
servicepolicyglobal_policyglobal
FromanattackerontheoutsideoftheASA(10.10.10.10),usenmaptorunaTCPSYNscanagainsteveryportonthetargetserver:
nmapsST5p165535Pn10.11.11.11
NotethatThreatDetectionkeepstrackoftheprotectedserver:
ciscoasa(config)#showthreatdetectionstatisticstoptcpintercept
Top10protectedserversunderattack(sortedbyaveragerate)
Monitoringwindowsize:30minsSamplinginterval:30secs
110.11.11.11:18589outside00110.10.10.10(36secsago)
210.11.11.11:47724outside00110.10.10.10(36secsago)
http://www.cisco.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/113685asathreatdetection.html?referring_site=RE&po 6/7
9/30/2015 ASAThreatDetectionFunctionalityandConfigurationCisco
310.11.11.11:46126outside001Last:10.10.10.10(6secsago)
410.11.11.11:3695outside001Last:10.10.10.10(6secsago)
ScanningThreat
1. CreateanACLontheoutsideinterfacethatpermitsallTCPpacketssenttoatargetserverontheinsideoftheASA(10.11.11.11):
accesslistoutside_inextendedline1permittcpanyhost10.11.11.11
accessgroupoutside_inininterfaceoutside
Note:InorderforScanningThreatDetectiontotrackthetargetandattackerIPs,thetrafficmustbepermittedthroughtheASA.
2. Ifthetargetserverdoesnotactuallyexist,oritresetstheconnectionattemptsoftheattacker,configureafakeARPentryontheASA
toblackholetheattacktrafficouttheinsideinterface:
arpinside10.11.11.11dead.dead.dead
Note:Connectionsthatareresetbythetargetserverarenotcountedaspartofthethreat.
3. FromanattackerontheoutsideoftheASA(10.10.10.10),usenmaptorunaTCPSYNscanagainsteveryportonthetargetserver:
nmapsST5p165535Pn10.11.11.11
Note:T5configuresnmaptorunthescanasfastaspossible.DependingontheresourcesoftheattackerPC,thisstillmaynot
befastenoughtotriggersomeofthedefaultrates.Ifthisisthecase,simplylowertheconfiguredratesforthethreatyouwant
tosee.SettingtheARIandBRIto0causesBasicThreatDetectiontoalwaystriggerthethreatregardlessoftherate.
4. NotethataScanningthreatisdetected,theIPoftheattackeristracked,andtheattackerisshunned:
%ASA1733100:[Scanning]droprate1exceeded.Currentburstrateis17persecond,
maxconfiguredrateis10Currentaveragerateis0persecond,
maxconfiguredrateis5Cumulativetotalcountis404
%ASA4733101:Host10.10.10.10isattacking.Currentburstrateis17persecond,
maxconfiguredrateis10Currentaveragerateis0persecond,
maxconfiguredrateis5Cumulativetotalcountis700
%ASA4733102:Threatdetectionaddshost10.10.10.10toshunlist
RelatedInformation
ASAConfigurationGuide
ASACommandReference
ASASyslogGuide
TechnicalSupport&DocumentationCiscoSystems
2015Ciscoand/oritsaffiliates.Allrightsreserved.
http://www.cisco.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/113685asathreatdetection.html?referring_site=RE&po 7/7