- About this Guide
-
- Information About Cisco Unified Communications Features
- Using the Cisco Unified Communication Wizard
- Configuring the Cisco Phone Proxy
- Configuring the TLS Proxy for Encrypted Voice Inspection
- Configuring Cisco Mobility Advantage
- Configuring Cisco Unified Presence
- Configuring Cisco Unified Communications Intercompany Media Engine
- Index
Configuring Threat Detection
This chapter describes how to configure threat detection statistics and scanning threat detection and includes the following sections:
Information About Threat Detection
The threat detection feature consists of the following elements:
Threat detection statistics can help you manage threats to your ASA; for example, if you enable scanning threat detection, then viewing statistics can help you analyze the threat. You can configure two types of threat detection statistics:
– Basic threat detection statistics—Includes information about attack activity for the system as a whole. Basic threat detection statistics are enabled by default and have no performance impact.
– Advanced threat detection statistics—Tracks activity at an object level, so the ASA can report activity for individual hosts, ports, protocols, or ACLs. Advanced threat detection statistics can have a major performance impact, depending on the statistics gathered, so only the ACL statistics are enabled by default.
You can optionally shun any hosts determined to be a scanning threat.
Licensing Requirements for Threat Detection
The following table shows the licensing requirements for this feature:
|
|
---|---|
Configuring Basic Threat Detection Statistics
Basic threat detection statistics include activity that might be related to an attack, such as a DoS attack.
This section includes the following topics:
- Information About Basic Threat Detection Statistics
- Guidelines and Limitations
- Default Settings
- Configuring Basic Threat Detection Statistics
- Monitoring Basic Threat Detection Statistics
- Feature History for Basic Threat Detection Statistics
Information About Basic Threat Detection Statistics
Using basic threat detection statistics, the ASA monitors the rate of dropped packets and security events due to the following reasons:
- Denial by ACLs
- Bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length)
- Connection limits exceeded (both system-wide resource limits, and limits set in the configuration)
- DoS attack detected (such as an invalid SPI, Stateful Firewall check failure)
- Basic firewall checks failed (This option is a combined rate that includes all firewall-related packet drops in this bulleted list. It does not include non-firewall-related drops such as interface overload, packets failed at application inspection, and scanning attack detected.)
- Suspicious ICMP packets detected
- Packets failed application inspection
- Interface overload
- Scanning attack detected (This option monitors scanning attacks; for example, the first TCP packet is not a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat detection (see the “Configuring Scanning Threat Detection” section) takes this scanning attack rate information and acts on it by classifying hosts as attackers and automatically shunning them, for example.)
- Incomplete session detection such as TCP SYN attack detected or no data UDP session attack detected
When the ASA detects a threat, it immediately sends a system log message (733100). The ASA tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst interval. The burst rate interval is 1/30th of the average rate interval or 10 seconds, whichever is higher. For each received event, the ASA checks the average and burst rate limits; if both rates are exceeded, then the ASA sends two separate system messages, with a maximum of one message for each rate type per burst period.
Basic threat detection affects performance only when there are drops or potential threats; even in this scenario, the performance impact is insignificant.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature:
Supported in single mode only. Multiple mode is not supported.
Supported in routed and transparent firewall mode.
Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection.
Default Settings
Basic threat detection statistics are enabled by default.
Table 27-1 lists the default settings. You can view all these default settings using the show running-config all threat-detection command.
|
|
|
---|---|---|
|
|
|
Incomplete session detected such as TCP SYN attack detected or no data UDP session attack detected (combined) |
||
Configuring Basic Threat Detection Statistics
This section describes how to configure basic threat detection statistics, including enabling or disabling it and changing the default limits.
Detailed Steps
|
|
|
---|---|---|
|
Enables basic threat detection statistics (if you previously disabled it). Basic threat detection is enabled by default. |
|
|
(Optional) Changes the default settings for one or more type of event. For a description of each event type, see the “Information About Basic Threat Detection Statistics” section. When you use this command with the scanning-threat keyword, it is also used in the scanning threat detection feature (see the “Configuring Scanning Threat Detection” section). If you do not configure basic threat detection, you can still use this command with the scanning-threat keyword to configure the rate limits for scanning threat detection. You can configure up to three different rate intervals for each event type. |
Monitoring Basic Threat Detection Statistics
To monitor basic threat detection statistics, perform one of the following tasks:
|
|
---|---|
|
Displays basic threat detection statistics. where the min-display-rate min_display_rate argument limits the display to statistics that exceed the minimum display rate in events per second. You can set the min_display_rate between 0 and 2147483647. For a description of each event type, see the “Information About Basic Threat Detection Statistics” section. The output shows the average rate in events/sec over two fixed time periods: the last 10 minutes and the last 1 hour. It also shows: the current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger; the number of times the rates were exceeded (triggered); and the total number of events over the time periods. The ASA stores the count at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output. The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the ASA calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time. |
|
Examples
The following is sample output from the show threat-detection rate command:
Feature History for Basic Threat Detection Statistics
Table 27-2 lists each feature change and the platform release in which it was implemented.
Configuring Advanced Threat Detection Statistics
You can configure the ASA to collect extensive statistics. This section includes the following topics:
- Information About Advanced Threat Detection Statistics
- Guidelines and Limitations
- Default Settings
- Configuring Advanced Threat Detection Statistics
- Monitoring Advanced Threat Detection Statistics
- Feature History for Advanced Threat Detection Statistics
Information About Advanced Threat Detection Statistics
Advanced threat detection statistics show both allowed and dropped traffic rates for individual objects such as hosts, ports, protocols, or ACLs.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature:
Only TCP Intercept statistics are available in multiple mode.
Supported in routed and transparent firewall mode.
Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection.
Default Settings
Configuring Advanced Threat Detection Statistics
By default, statistics for ACLs are enabled. To enable other statistics, perform the following steps.
Detailed Steps
|
|
|
---|---|---|
|
(Optional) Enables all statistics. To enable only certain statistics, enter this command for each statistic type (shown in this table), and do not also enter the command without any options. You can enter threat-detection statistics (without any options) and then customize certain statistics by entering the command with statistics-specific options (for example, threat-detection statistics host number-of-rate 2). If you enter threat-detection statistics (without any options) and then enter a command for specific statistics, but without any statistic-specific options, then that command has no effect because it is already enabled. If you enter the no form of this command, it removes all threat-detection statistics commands, including the threat-detection statistics access-list command, which is enabled by default. |
|
|
(Optional) Enables statistics for ACLs (if they were disabled previously). Statistics for ACLs are enabled by default. ACL statistics are only displayed using the show threat-detection top access-list command. This command is enabled by default. |
|
|
(Optional) Enables statistics for hosts. The number-of-rate keyword sets the number of rate intervals maintained for host statistics. The default number of rate intervals is 1, which keeps the memory usage low. To view more rate intervals, set the value to 2 or 3. For example, if you set the value to 3, then you view data for the last 1 hour, 8 hours, and 24 hours. If you set this keyword to 1 (the default), then only the shortest rate interval statistics are maintained. If you set the value to 2, then the two shortest intervals are maintained. The host statistics accumulate for as long as the host is active and in the scanning threat host database. The host is deleted from the database (and the statistics cleared) after 10 minutes of inactivity. |
|
|
(Optional) Enables statistics for TCP and UDP ports. The number-of-rate keyword sets the number of rate intervals maintained for port statistics. The default number of rate intervals is 1, which keeps the memory usage low. To view more rate intervals, set the value to 2 or 3. For example, if you set the value to 3, then you view data for the last 1 hour, 8 hours, and 24 hours. If you set this keyword to 1 (the default), then only the shortest rate interval statistics are maintained. If you set the value to 2, then the two shortest intervals are maintained. |
|
|
(Optional) Enables statistics for non-TCP/UDP IP protocols. The number-of-rate keyword sets the number of rate intervals maintained for protocol statistics. The default number of rate intervals is 1, which keeps the memory usage low. To view more rate intervals, set the value to 2 or 3. For example, if you set the value to 3, then you view data for the last 1 hour, 8 hours, and 24 hours. If you set this keyword to 1 (the default), then only the shortest rate interval statistics are maintained. If you set the value to 2, then the two shortest intervals are maintained. |
|
|
(Optional) Enables statistics for attacks intercepted by TCP Intercept (see the “Configuring Connection Settings,” to enable TCP Intercept). The rate-interval keyword sets the size of the history monitoring window, between 1 and 1440 minutes. The default is 30 minutes. During this interval, the ASA samples the number of attacks 30 times. The burst-rate keyword sets the threshold for syslog message generation, between 25 and 2147483647. The default is 400 per second. When the burst rate is exceeded, syslog message 733104 is generated. The average-rate keyword sets the average rate threshold for syslog message generation, between 25 and 2147483647. The default is 200 per second. When the average rate is exceeded, syslog message 733105 is generated. |
Monitoring Advanced Threat Detection Statistics
The display output shows the following:
- The average rate in events/sec over fixed time periods.
- The current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger
- The number of times the rates were exceeded (for dropped traffic statistics only)
- The total number of events over the fixed time periods.
The ASA stores the count at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.
The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the ASA calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.
To monitor advanced threat detection statistics, perform one of the following tasks:
Examples
The following is sample output from the show threat-detection statistics host command:
Table 27-3 shows each field description.
Feature History for Advanced Threat Detection Statistics
Table 27-4 lists each feature change and the platform release in which it was implemented.
Configuring Scanning Threat Detection
This section includes the following topics:
- Information About Scanning Threat Detection
- Guidelines and Limitations
- Default Settings
- Configuring Scanning Threat Detection
- Monitoring Shunned Hosts, Attackers, and Targets
Information About Scanning Threat Detection
A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection that is based on traffic signatures, the ASA scanning threat detection feature maintains an extensive database that contains host statistics that can be analyzed for scanning activity.
The host database tracks suspicious activity such as connections with no return activity, access of closed service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.
If the scanning threat rate is exceeded, then the ASA sends a syslog message (733101), and optionally shuns the attacker. The ASA tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst interval. The burst event rate is 1/30th of the average rate interval or 10 seconds, whichever is higher. For each event detected that is considered to be part of a scanning attack, the ASA checks the average and burst rate limits. If either rate is exceeded for traffic sent from a host, then that host is considered to be an attacker. If either rate is exceeded for traffic received by a host, then that host is considered to be a target.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature:
Supported in single mode only. Multiple mode is not supported.
Default Settings
Table 27-5 lists the default rate limits for scanning threat detection.
|
|
---|---|
The burst rate is calculated as the average rate every N seconds, where N is the burst rate interval. The burst rate interval is 1/30th of the rate interval or 10 seconds, whichever is larger.
Configuring Scanning Threat Detection
Detailed Steps
|
|
|
---|---|---|
|
Enables scanning threat detection. By default, the system log message 733101 is generated when a host is identified as an attacker. Enter this command multiple times to identify multiple IP addresses or network object groups to exempt from shunning. |
|
|
(Optional) Sets the duration of the shun for attacking hosts. |
|
|
(Optional) Changes the default event limit for when the ASA identifies a host as an attacker or as a target. If you already configured this command as part of the basic threat detection configuration (see the “Configuring Basic Threat Detection Statistics” section), then those settings are shared with the scanning threat detection feature; you cannot configure separate rates for basic and scanning threat detection. If you do not set the rates using this command, the default values are used for both the scanning threat detection feature and the basic threat detection feature. You can configure up to three different rate intervals, by entering separate commands. |
Monitoring Shunned Hosts, Attackers, and Targets
To monitor shunned hosts and attackers and targets, perform one of the following tasks:
Examples
The following is sample output from the show threat-detection shun command:
To release the host at 10.1.1.6, enter the following command:
The following is sample output from the show threat-detection scanning-threat attacker command:
Feature History for Scanning Threat Detection
Table 27-6 lists each feature change and the platform release in which it was implemented.
Configuration Examples for Threat Detection
The following example configures basic threat detection statistics, and changes the DoS attack rate settings. All advanced threat detection statistics are enabled, with the host statistics number of rate intervals lowered to 2. The TCP Intercept rate interval is also customized. Scanning threat detection is enabled with automatic shunning for all addresses except 10.1.1.0/24. The scanning threat rate intervals are customized.