Cisco Systems OL-16647-01 Network Router User Manual

Open as PDF

of 1230

27-3

Cisco ASDM User Guide

OL-16647-01

Chapter 27 Configuring Advanced Firewall Protection

Configuring Threat Detection

Configuring Scanning Threat Detection

A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by

scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The

scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection

that is based on traffic signatures, the security appliance scanning threat detection feature maintains an

extensive database that contains host statistics that can be analyzed for scanning activity.

The host database tracks suspicious activity such as connections with no return activity, access of closed

service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.

You can configure the security appliance to send system log messages about an attacker or you can

automatically shun the host.

Table 27-1 Basic Threat Detection Default Settings

Packet Drop Reason

Trigger Settings

Average Rate Burst Rate

• DoS attack detected

• Bad packet format

• Connection limits exceeded

• Suspicious ICMP packets

detected

100 drops/sec over the last 600

seconds.

400 drops/sec over the last 10

second period.

80 drops/sec over the last 3600

seconds.

320 drops/sec over the last 60

second period.

Scanning attack detected 5 drops/sec over the last 600

seconds.

10 drops/sec over the last 10

second period.

4 drops/sec over the last 3600

seconds.

8 drops/sec over the last 60

second period.

Incomplete session detected such as

TCP SYN attack detected or no data

UDP session attack detected

(combined)

100 drops/sec over the last 600

seconds.

200 drops/sec over the last 10

second period.

80 drops/sec over the last 3600

seconds.

160 drops/sec over the last 60

second period.

Denial by access lists 400 drops/sec over the last 600

seconds.

800 drops/sec over the last 10

second period.

320 drops/sec over the last

3600 seconds.

640 drops/sec over the last 60

second period.

• Basic firewall checks failed

• Packets failed application

inspection

400 drops/sec over the last 600

seconds.

1600 drops/sec over the last 10

second period.

320 drops/sec over the last

3600 seconds.

1280 drops/sec over the last 60

second period.

Interface overload 2000 drops/sec over the last

600 seconds.

8000 drops/sec over the last 10

second period.

1600 drops/sec over the last

3600 seconds.

6400 drops/sec over the last 60

second period.

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems OL-16647-01 Network Router User Manual