18-3
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 18 Threat Detection
Guidelines for Threat Detection
Scanning Threat Detection
A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by
scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The
scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection
that is based on traffic signatures, ASA threat detection scanning maintains an extensive database that
contains host statistics that can be analyzed for scanning activity.
The host database tracks suspicious activity such as connections with no return activity, access of closed
service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.
If the scanning threat rate is exceeded, then the ASA sends a syslog message (733101), and optionally
shuns the attacker. The ASA tracks two types of rates: the average event rate over an interval, and the
burst event rate over a shorter burst interval. The burst event rate is 1/30th of the average rate interval or
10 seconds, whichever is higher. For each event detected that is considered to be part of a scanning
attack, the ASA checks the average and burst rate limits. If either rate is exceeded for traffic sent from
a host, then that host is considered to be an attacker. If either rate is exceeded for traffic received by a
host, then that host is considered to be a target.
The following table lists the default rate limits for scanning threat detection.
Caution The scanning threat detection feature can affect the ASA performance and memory significantly while
it creates and gathers host- and subnet-based data structure and information.
Guidelines for Threat Detection
Security Context Guidelines
Except for advanced threat statistics, threat detection is supported in single mode only. In Multiple mode,
TCP Intercept statistics are the only statistic supported.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
Types of Traffic Monitored
• Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection.
• Traffic that is denied by an ACL does not trigger scanning threat detection; only traffic that is
allowed through the ASA and that creates a flow is affected by scanning threat detection.
Table 18-1 Default Rate Limits for Scanning Threat Detection
Average Rate Burst Rate
5 drops/sec over the last 600 seconds. 10 drops/sec over the last 20 second period.
5 drops/sec over the last 3600 seconds. 10 drops/sec over the last 120 second period.
To Next Page
Loading...
Need help?
General
