9/30/2015 ASAThreatDetectionFunctionalityandConfigurationCisco

Oursiteusescookiessomeareessentialtomakethesiteworkothershelpusimprovetheuserexperience.Byusingthesite,youconsenttotheuseof
thesecookies.Tolearnmoreaboutcookiesandhowyoucandisablethem,pleasereadourprivacystatement.

ASAThreatDetectionFunctionalityandConfiguration
DocumentID: 113685 Updated: Jul06,2015

Contents

Introduction
ThreatDetectionFunctionality
BasicThreatDetection(SystemLevelRates)
AdvancedThreatDetection(ObjectLevelStatisticsandTopN)
ScanningThreatDetection
Limitations
Configuration
BasicThreatDetection
AdvancedThreatDetection
ScanningThreatDetection
Performance
RecommendedActions
WhenaBasicDropRateisExceededand%ASA4733100isGenerated
WhenaScanningThreatisDetectedand%ASA4733101isLogged
WhenanAttackerisShunnedand%ASA4733102isLogged
When%ASA4733104and/or%ASA4733105isLogged
HowToManuallyTriggeraThreat
BasicThreatACLDrop,Firewall,andScanning
AdvancedThreatTCPIntercept
ScanningThreat
RelatedInformation

Introduction
ThisdocumentdescribesthefunctionalityandbasicconfigurationoftheThreatDetectionfeatureoftheCiscoAdaptiveSecurity
Appliance(ASA).ThreatDetectionprovidesfirewalladministratorswiththenecessarytoolstoidentify,understand,andstopattacks
beforetheyreachtheinternalnetworkinfrastructure.Inordertodoso,thefeaturereliesonanumberofdifferenttriggersandstatistics,
whichisdescribedinfurtherdetailinthesesections.
ThreatDetectioncanbeusedonanyASAfirewallthatrunsasoftwareversionof8.0(2)orlater.Althoughthreatdetectionisnota
substituteforadedicatedIDS/IPSsolution,itcanbeusedinenvironmentswhereanIPSisnotavailabletoprovideanaddedlayerof
protectiontothecorefunctionalityofASA.

ThreatDetectionFunctionality
Thethreatdetectionfeaturehasthreemaincomponents:
1. BasicThreatDetection
2. AdvancedThreatDetection
3. ScanningThreatDetection
Eachofthesecomponentsisdescribedindetailinthesesections.

BasicThreatDetection(SystemLevelRates)
BasicthreatdetectionisenabledbydefaultonallASAsrunning8.0(2)andlater.
BasicthreatdetectionmonitorstheratesatwhichpacketsaredroppedforvariousreasonsbytheASAasawhole.Thismeansthatthe
statisticsgeneratedbybasicthreatdetectiononlyapplytotheentireapplianceandaregenerallynotgranularenoughtoprovide
informationonthesourceorspecificnatureofthethreat.Instead,theASAmonitorsdroppedpacketsfortheseevents:

ACLDrop(acldrop)Packetsaredeniedbyaccesslists
http://www.cisco.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/113685asathreatdetection.html?referring_site=RE&po 1/7
9/30/2015 ASAThreatDetectionFunctionalityandConfigurationCisco
ACLDrop(acldrop)Packetsaredeniedbyaccesslists
BadPkts(badpacketdrop)Invalidpacketformats,whichincludesL3andL4headersthatdonotconformtoRFCstandards
ConnLimit(connlimitdrop)Packetsthatexceedaconfiguredorglobalconnectionlimit
DoSAttack(dosdrop)DenialofService(DoS)attacks
Firewall(fwdrop)Basicfirewallsecuritychecks
ICMPAttack(icmpdrop)SuspiciousICMPpackets
Inspect(inspectdrop)Denialbyapplicationinspection
Interface(interfacedrop)Packetsdroppedbyinterfacechecks
Scanning(scanningthreat)Network/hostscanningattacks
SYNAttack(synattack)Incompletesessionattacks,whichincludesTCPSYNattacksandunidirectionalUDPsessionsthathaveno
returndata
Eachoftheseeventshaveaspecificsetoftriggersthatareusedtoidentifythethreat.MosttriggersaretiedbacktospecificASPdrop
reasons,thoughcertainsyslogsandinspectionactionsarealsoconsidered.Sometriggersaremonitoredbymultiplethreatcategories.
Someofthemostcommontriggersareoutlinedinthistable,thoughitisnotanexhaustivelist:

BasicThreat Trigger(s)/ASPDropReason(s)
acldrop acldrop
badpacketdrop invalidtcphdrlength
invalidipheader
inspectdnspaktoolong
inspectdnsidnotmatched

connlimitdrop connlimit
dosdrop spsecurityfailed
fwdrop inspecticmpseqnumnotmatched
inspectdnspaktoolong
inspectdnsidnotmatched
spsecurityfailed
acldrop

icmpdrop inspecticmpseqnumnotmatched
inspectdrop Framedropstriggeredbyaninspectionengine

interfacedrop spsecurityfailed
noroute

scanningthreat tcp3whsfailed
tcpnotsyn
spsecurityfailed
acldrop
inspecticmpseqnumnotmatched
inspectdnspaktoolong
inspectdnsidnotmatched

synattack %ASA6302014syslogwithteardownreasonof"SYNTimeout"
Foreachevent,basicthreatdetectionmeasurestheratesthatthesedropsoccuroveraconfiguredperiodoftime.Thisperiodoftimeis
calledtheaveragerateinterval(ARI)andcanrangefrom600secondsto30days.IfthenumberofeventsthatoccurwithintheARI
exceedstheconfiguredratethresholds,theASAconsiderstheseeventsathreat.
Basicthreatdetectionhastwoconfigurablethresholdsforwhenitconsiderseventstobeathreat:theaveragerateandtheburstrate.
TheaveragerateissimplytheaveragenumberofdropspersecondwithinthetimeperiodoftheconfiguredARI.Forexample,ifthe
averageratethresholdforACLdropsisconfiguredfor400withanARIof600seconds,theASAcalculatestheaveragenumberof
packetsthatweredroppedbyACLsinthelast600seconds.Ifthisnumberturnsouttobegreaterthan400persecond,theASAlogsa
threat.
Likewise,theburstrateisverysimilarbutlooksatsmallerperiodsofsnapshotdata,calledtheburstrateinterval(BRI).TheBRIis
alwayssmallerthantheARI.Forexample,buildingonthepreviousexample,theARIforACLdropsisstill600secondsandnowhasa
burstrateof800.Withthesevalues,theASAcalculatestheaveragenumberofpacketsdroppedbyACLsinthelast20seconds,where
20secondsistheBRI.Ifthiscalculatedvalueexceeds800dropspersecond,athreatislogged.InordertodeterminewhatBRIisused,
theASAcalculatesthevalueof1/30thoftheARI.Therefore,intheexamplepreviouslyused,1/30thof600secondsis20seconds.
However,threatdetectionhasaminimumBRIof10seconds,soif1/30thoftheARIislessthan10,theASAstilluses10secondsas
theBRI.Also,itisimportanttonotethatthisbehaviorwasdifferentinversionspriorto8.2(1),whichusedavalueof1/60thoftheARI,
insteadof1/30th.TheminimumBRIof10secondsisthesameforallsoftwareversions.
Whenabasicthreatisdetected,theASAsimplygeneratessyslog%ASA4733100toalerttheadministratorthatapotentialthreathas
beenidentified.Theaverage,current,andtotalnumberofeventsforeachthreatcategorycanbeseenwiththeshowthreatdetection
ratecommand.Thetotalnumberofcumulativeeventsisthesumofthenumberofeventsseeninthelast30BRIsamples.
Basicthreatdetectiondoesnottakeanyactionsinordertostoptheoffendingtrafficorpreventfutureattacks.Inthissense,basicthreat
detectionispurelyinformationalandcanbeusedasamonitoringorreportingmechanism.

AdvancedThreatDetection(ObjectLevelStatisticsandTopN)
http://www.cisco.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/113685asathreatdetection.html?referring_site=RE&po 2/7
9/30/2015 ASAThreatDetectionFunctionalityandConfigurationCisco
AdvancedThreatDetection(ObjectLevelStatisticsandTopN)
UnlikeBasicThreatDetection,AdvancedThreatDetectioncanbeusedtotrackstatisticsformoregranularobjects.TheASAsupports
trackingstatisticsforhostIPs,ports,protocols,ACLs,andserversprotectedbyTCPintercept.AdvancedThreatDetectionisonly
enabledbydefaultforACLstatistics.
Forhost,port,andprotocolobjects,ThreatDetectionkeepstrackofthenumberofpackets,bytes,anddropsthatwerebothsentand
receivedbythatobjectwithinaspecifictimeperiod.ForACLs,ThreatDetectionkeepstrackofthetop10ACEs(bothpermitanddeny)
thatwerehitthemostwithinaspecifictimeperiod.
Thetimeperiodstrackedinallofthesecasesare20minutes,1hour,8hours,and24hours.Whilethetimeperiodsthemselvesarenot
configurable,thenumberofperiodsthataretrackedperobjectcanbeadjustedwiththe'numberofrate'keyword.SeetheConfiguration
sectionformoreinformation.Forexample,if'numberofrate'issetto2,youseeallstatisticsfor20minutes,1hourand8hours.if
'numberofrate'issetto1,youseeallstatisticsfor20minutes,1hour.Nomatterwhat,the20minuterateisalwaysdisplayed.
WhenTCPinterceptisenabled,ThreatDetectioncankeeptrackofthetop10serverswhichareconsideredtobeunderattackand
protectedbyTCPintercept.StatisticsforTCPinterceptaresimilartoBasicThreatDetectioninthesensethattheusercanconfigurethe
measuredrateintervalalongwithspecificaverage(ARI)andburst(BRI)rates.AdvancedThreatDetectionstatisticsforTCPinterceptare
onlyavailableinASA8.0(4)andlater.
AdvancedThreatDetectionstatisticsareviewedviatheshowthreatdetectionstatisticsandshowthreatdetectionstatisticstop
commands.Thisisalsothefeatureresponsibleforpopulatingthe"top"graphsonthefirewalldashboardofASDM.Theonlysyslogsthat
aregeneratedbyAdvancedThreatDetectionare%ASA4733104and%ASA4733105,whicharetriggeredwhentheaverageandburst
rates(respectively)areexceededforTCPinterceptstatistics.
LikeBasicThreatDetection,theAdvancedThreatDetectionispurelyinformational.Noactionsaretakentoblocktrafficbasedonthe
AdvancedThreatDetectionstatistics.

ScanningThreatDetection
ScanningThreatDetectionisusedinordertokeeptrackofsuspectedattackerswhocreateconnectionstoomanyhostsinasubnet,or
manyportsonahost/subnet.ScanningThreatDetectionisdisabledbydefault.
ScanningThreatDetectionbuildsontheconceptofBasicThreatDetection,whichalreadydefinesathreatcategoryforascanningattack.
Therefore,therateinterval,averagerate(ARI),andburstrate(BRI)settingsaresharedbetweenBasicandScanningThreatDetection.
Thedifferencebetweenthe2featuresisthatwhileBasicThreatDetectiononlyindicatesthattheaverageorburstratethresholdswere
crossed,ScanningThreatDetectionmaintainsadatabaseofattackerandtargetIPaddressesthatcanhelpprovidemorecontextaround
thehostsinvolvedinthescan.Additionally,onlytrafficthatisactuallyreceivedbythetargethost/subnetisconsideredbyScanning
ThreatDetection.BasicThreatDetectioncanstilltriggeraScanningthreatevenifthetrafficisdroppedbyanACL.
ScanningThreatDetectioncanoptionallyreacttoanattackbyshunningtheattackerIP.ThismakesScanningThreatDetectiontheonly
subsetoftheThreatDetectionfeaturethatcanactivelyaffectconnectionsthroughtheASA.
WhenScanningThreatDetectiondetectsanattack,%ASA4733101isloggedfortheattackerand/ortargetIPs.Ifthefeatureis
configuredtoshuntheattacker,%ASA4733102isloggedwhenScanningThreatDetectiongeneratesashun.%ASA4733103islogged
whentheshunisremoved.TheshowthreatdetectionscanningthreatcommandcanbeusedinordertoviewtheentireScanning
Threatdatabase.

Limitations
ThreatDetectionisonlyavailableinASA8.0(2)andlater.ItisnotsupportedontheASA1000Vplatform.
ThreatDetectionisonlysupportedinsinglecontextmode.
Onlythroughtheboxthreatsaredetected.TrafficsenttotheASAitselfisnotconsideredbyThreatDetection.
TCPconnectionattemptsthatareresetbythetargetedserverisnotcountedasaSYNattackorScanningthreat.

Configuration

BasicThreatDetection
BasicThreatDetectionisenabledwiththethreatdetectionbasicthreatcommand.
ciscoasa(config)#threatdetectionbasicthreat

Thedefaultratescanbeviewedwiththeshowrunallthreatdetectioncommand.
ciscoasa(config)#showrunallthreatdetection
threatdetectionratedosdroprateinterval600averagerate100burstrate400
threatdetectionratedosdroprateinterval3600averagerate80burstrate320
threatdetectionratebadpacketdroprateinterval600averagerate100burstrate400
threatdetectionratebadpacketdroprateinterval3600averagerate80burstrate320
threatdetectionrateacldroprateinterval600averagerate400burstrate800
threatdetectionrateacldroprateinterval3600averagerate320burstrate640
threatdetectionrateconnlimitdroprateinterval600averagerate100burstrate400
threatdetectionrateconnlimitdroprateinterval3600averagerate80burstrate320
threatdetectionrateicmpdroprateinterval600averagerate100burstrate400
threatdetectionrateicmpdroprateinterval3600averagerate80burstrate320
threatdetectionratescanningthreatrateinterval600averagerate5burstrate10
threatdetectionratescanningthreatrateinterval3600averagerate4burstrate8
threatdetectionratesynattackrateinterval600averagerate100burstrate200
threatdetectionratesynattackrateinterval3600averagerate80burstrate160
threatdetectionratefwdroprateinterval600averagerate400burstrate1600
threatdetectionratefwdroprateinterval3600averagerate320burstrate1280
threatdetectionrateinspectdroprateinterval600averagerate400burstrate1600
threatdetectionrateinspectdroprateinterval3600averagerate320burstrate1280

http://www.cisco.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/113685asathreatdetection.html?referring_site=RE&po 3/7
9/30/2015 ASAThreatDetectionFunctionalityandConfigurationCisco
threatdetectionrateinterfacedroprateinterval600averagerate2000burstrate8000
threatdetectionrateinterfacedroprateinterval3600averagerate1600burstrate6400

Inordertotunetheserateswithcustomvalues,simplyreconfigurethethreatdetectionratecommandfortheappropriatethreatcategory.
ciscoasa(config)#threatdetectionrateacldroprateinterval1200averagerate250burstrate550

Eachthreatcategorycanhaveamaximumof3differentratesdefined(withrateIDsofrate1,rate2,andrate3).TheparticularrateID
thatisexceededisreferencedinthe%ASA4733100syslog.
Inthepreviousexample,threatdetectioncreatessyslog733100onlywhenthenumberofACLdropsexceeds250drops/secondover
1200secondsor550drops/secondover40seconds.

AdvancedThreatDetection
UsethethreatdetectionstatisticscommandinordertoenableAdvancedThreatDetection.Ifnospecificfeaturekeywordisprovided,
thecommandenablestrackingforallstatistics.
ciscoasa(config)#threatdetectionstatistics?
configuremodecommands/options:
accesslistKeywordtospecifyaccessliststatistics
hostKeywordtospecifyIPstatistics
portKeywordtospecifyportstatistics
protocolKeywordtospecifyprotocolstatistics
tcpinterceptTracetcpinterceptstatistics
<cr>

Inordertoconfigurethenumberofrateintervalsthataretrackedforhost,port,protocol,orACLstatistics,usethenumberofrate
keyword.
ciscoasa(config)#threatdetectionstatisticshostnumberofrate2

ThenumberofratekeywordconfiguresThreatDetectiontotrackonlytheshortestnnumberofintervals.
InordertoenableTCPinterceptstatistics,usethethreatdetectionstatisticstcpinterceptcommand.
ciscoasa(config)#threatdetectionstatisticstcpintercept

InordertoconfigurecustomratesforTCPinterceptstatistics,usetherateinterval,averagerate,andburstratekeywords.
ciscoasa(config)#threatdetectionstatisticstcpinterceptrateinterval45
burstrate400averagerate100

ScanningThreatDetection
InordertoenableScanningThreatDetection,usethethreatdetectionscanningthreatcommand.
ciscoasa(config)#threatdetectionscanningthreat

Inordertoadjusttheratesforascanningthreat,usethesamethreatdetectionratecommandusedbyBasicThreatDetection.
ciscoasa(config)#threatdetectionratescanningthreatrateinterval1200averagerate250burstrate550

InordertoallowtheASAtoshunascanningattackerIP,addtheshunkeywordtothethreatdetectionscanningthreatcommand.
ciscoasa(config)#threatdetectionscanningthreatshun

ThisallowsScanningThreatDetectiontocreateaonehourshunfortheattacker.Inordertoadjustthedurationoftheshun,usethe
threatdetectionscanningthreatshundurationcommand.
ciscoasa(config)#threatdetectionscanningthreatshunduration1000

Insomecases,youmaystillwanttopreventtheASAfromshunningcertainIPs.Inordertodothis,createanexceptionwiththethreat
detectionscanningthreatshunexceptcommand.
ciscoasa(config)#threatdetectionscanningthreatshunexceptipaddress10.1.1.1255.255.255.255
ciscoasa(config)#threatdetectionscanningthreatshunexceptobjectgroupnoshun

Performance
BasicThreatDetectionhasverylittleperformanceimpactontheASA.AdvancedandScanningThreatDetectionaremuchmoreresource
intensivebecausetheyhavetokeeptrackofvariousstatisticsinmemory.OnlyScanningThreatDetectionwiththeshunfunction
enabledcanactivelyimpacttrafficthatotherwisewouldhavebeenallowed.
AstheASAsoftwareversionshaveprogressed,thememoryutilizationofThreatDetectionhasbeensignificantlyoptimized.However,
careshouldbetakentomonitorthememoryutilizationofASAbeforeandafterThreatDetectionisenabled.Insomecases,itmightbe
bettertoonlyenablecertainstatistics(forexample,hoststatistics)temporarilywhileactivelytroubleshootingaspecificissue.
ForamoredetailedviewofThreatDetection'smemoryusage,runtheshowmemoryappcachethreatdetection[detail]command.

RecommendedActions
ThesesectionsprovidesomegeneralrecommendationsforactionsthatcanbetakenwhenvariousThreatDetectionrelatedeventsoccur.

WhenaBasicDropRateisExceededand%ASA4733100isGenerated
http://www.cisco.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/113685asathreatdetection.html?referring_site=RE&po 4/7
9/30/2015 ASAThreatDetectionFunctionalityandConfigurationCisco
WhenaBasicDropRateisExceededand%ASA4733100isGenerated
Determinethespecificthreatcategorymentionedinthe%ASA4733100syslogandcorrelatethiswiththeoutputofshowthreat
detectionrate.Withthisinformation,checktheoutputofshowaspdropinordertodeterminethereasonswhytrafficisbeingdropped.
Foramoredetailedviewoftrafficthatisdroppedforaspecificreason,useanASPdropcapturewiththereasoninquestioninorderto
seeallofthepacketsthatarebeingdropped.Forexample,ifACLDropthreatsarebeinglogged,captureontheASPdropreasonofacl
drop:
ciscoasa#capturedroptypeaspdropacldrop

ciscoasa#showcapturedrop

1packetcaptured

1:18:03:00.20518910.10.10.10.60670>192.168.1.100.53:udp34Dropreason:
(acldrop)Flowisdeniedbyconfiguredrule

ThiscaptureshowsthatthepacketbeingdroppedisaUDP/53packetfrom10.10.10.10to192.168.1.100.
If%ASA4733100reportsaScanningthreat,itcanalsobehelpfultotemporarilyenableScanningThreatDetection.ThisallowstheASA
tokeeptrackofthesourceanddestinationIPsinvolvedintheattack.
SinceBasicThreatDetectionmostlymonitorstrafficwhichisalreadybeingdroppedbytheASP,nodirectactionisrequiredtostopa
potentialthreat.TheexceptionstothisareSYNAttacksandScanningthreats,whichinvolvetrafficpassingthroughtheASA.
IfthedropsseenintheASPdropcapturearelegitimateand/orexpectedforthenetworkenvironment,tunethebasicrateintervalstoa
moreappropriatevalue.
Ifthedropsshowillegitimatetraffic,actionsshouldbetakentoblockorratelimitthetrafficbeforeitreachestheASA.Thiscaninclude
ACLsandQoSonupstreamdevices.
ForSYNattacks,trafficcanbeblockedinanACLontheASA.TCPinterceptcouldalsobeconfiguredtoprotectthetargetedserver(s),
butthiscouldsimplyresultinaConnLimitthreatbeingloggedinstead.
ForScanningthreats,trafficcanalsobeblockedinanACLontheASA.ScanningThreatDetectionwiththeshunoptioncanbeenabled
toallowtheASAtoproactivelyblockallpacketsfromtheattackerforadefinedperiodoftime.

WhenaScanningThreatisDetectedand%ASA4733101isLogged
%ASA4733101shouldlisteitherthetargethost/subnetortheattackerIPaddress.Forthefulllistoftargetsandattackers,checkthe
outputofshowthreatdetectionscanningthreat.
PacketcapturesontheASAsinterfacesfacingtheattackerand/ortarget(s)canalsohelpclarifythenatureoftheattack.
Ifthedetectedscanisanotexpected,actionsshouldbetakentoblockorratelimitthetrafficbeforeitreachestheASA.Thiscaninclude
ACLsandQoSonupstreamdevices.AddingtheshunoptiontotheScanningThreatDetectionconfigcanalsoallowtheASAto
proactivelydropallpacketsfromtheattackerIPforadefinedperiodoftime.Asalastresort,thetrafficcanalsobeblockedmanuallyon
theASAviaanACLorTCPinterceptpolicy.
Ifthedetectedscanisafalsepositive,adjusttheScanningThreatrateintervalstoamoreappropriatevalueforthenetworkenvironment.

WhenanAttackerisShunnedand%ASA4733102isLogged
%ASA4733102liststheIPaddressoftheshunnedattacker.Usetheshowthreatdetectionshuncommandinordertoviewafulllistof
attackersthathavebeenshunnedbyThreatDetectionspecifically.UsetheshowshuncommandinordertoviewthefulllistofallIPs
thatareactivelybeingshunnedbytheASA(includingfromsourcesotherthanThreatDetection).
Iftheshunispartofalegitimateattack,nofurtheractionisrequired.However,itwouldbebeneficialtomanuallyblockthetrafficofthe
attackerasfarupstreamtowardthesourceaspossible.ThiscanbedoneviaACLsandQoS.Thisensuresthatintermediatedevicesdo
notneedtowasteresourcesprocessingillegitimatetraffic.
IftheScanningthreatthattriggeredtheshunwasafalsepositive,manuallyremovetheshunwiththeclearthreatdetectionshun
[IP_address]command.

When%ASA4733104and/or%ASA4733105isLogged
%ASA4733104and%ASA4733105liststhehosttargetedbytheattackthatiscurrentlybeingprotectedbyTCPintercept.Formore
detailsontheattackratesandprotectedservers,checktheoutputofshowthreatdetectionstatisticstoptcpintercept.
ciscoasa#showthreatdetectionstatisticstoptcpintercept
Top10protectedserversunderattack(sortedbyaveragerate)
Monitoringwindowsize:30minsSamplinginterval:30secs

1192.168.1.2:5000inside124995032249245Last:10.0.0.3(0secsago)
2192.168.1.3:5000inside1010608010.0.0.200(0secsago)
3192.168.1.4:5000inside2656010.0.0.200(59secsago)
4192.168.1.5:5000inside1556010.0.0.200(59secsago)
5192.168.1.6:5000inside1456010.0.0.200(59secsago)
6192.168.1.7:5000inside0356010.0.0.200(59secsago)
7192.168.1.8:5000inside0256010.0.0.200(59secsago)
8192.168.1.9:5000inside0156010.0.0.200(59secsago)
9192.168.1.10:5000inside0055010.0.0.200(2minsago)
10192.168.1.11:5000inside0055010.0.0.200(5minsago)

WhenAdvancedThreatDetectiondetectsanattackofthisnature,theASAisalreadyprotectingthetargetedserverviaTCPintercept.
Verifytheconfiguredconnectionlimitstoensuretheyprovideadequateprotectionforthenatureandrateoftheattack.Also,itwouldbe
beneficialtomanuallyblockthetrafficoftheattackerasfarupstreamtowardthesourceaspossible.ThiscanbedoneviaACLsand

http://www.cisco.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/113685asathreatdetection.html?referring_site=RE&po 5/7
9/30/2015 ASAThreatDetectionFunctionalityandConfigurationCisco
QoS.Thisensuresthatintermediatedevicesdonotneedtowasteresourcesprocessingillegitimatetraffic.
Ifthedetectedattackisafalsepositive,adjusttheratesforaTCPinterceptattacktoamoreappropriatevaluewiththethreatdetection
statisticstcpinterceptcommand.

HowToManuallyTriggeraThreat
Fortestingandtroubleshootingpurposes,itcanbehelpfultomanuallytriggervariousthreats.Thissectioncontainstipsfortriggeringa
fewcommonthreattypes.

BasicThreatACLDrop,Firewall,andScanning
InordertotriggeraparticularBasicThreat,refertothetableinthepreviousFunctionalitysection.ChooseaspecificASPdropreasonand
sendtrafficthroughtheASAthatwouldbedroppedbytheappropriateASPdropreason.
Forexample,ACLDrop,Firewall,andScanningthreatsallconsidertherateofpacketsbeingdroppedbyacldrop.Completethesesteps
inordertotriggerthesethreatssimultaneously:
1. CreateanACLontheoutsideinterfaceoftheASAthatexplicitlydropsallTCPpacketssenttoatargetserverontheinsideoftheASA
(10.11.11.11):
accesslistoutside_inextendedline1denytcpanyhost10.11.11.11
accesslistoutside_inextendedpermitipanyany
accessgroupoutside_inininterfaceoutside

2. FromanattackerontheoutsideoftheASA(10.10.10.10),usenmapinordertorunaTCPSYNscanagainsteveryportonthetarget
server:
nmapsST5p165535Pn10.11.11.11

Note:T5configuresnmaptorunthescanasfastaspossible.DependingontheresourcesoftheattackerPC,thisstillmaynot
befastenoughtotriggersomeofthedefaultrates.Ifthisisthecase,simplylowertheconfiguredratesforthethreatyouwant
tosee.SettingtheARIandBRIto0causesBasicThreatDetectiontoalwaystriggerthethreatregardlessoftherate.

3. NotethatBasicThreatsaredetectedforACLDrop,Firewall,andScanningthreats:
%ASA1733100:[Scanning]droprate1exceeded.Currentburstrateis19persecond,
maxconfiguredrateis10Currentaveragerateis9persecond,
maxconfiguredrateis5Cumulativetotalcountis5538
%ASA1733100:[ACLdrop]droprate1exceeded.Currentburstrateis19persecond,
maxconfiguredrateis0Currentaveragerateis2persecond,
maxconfiguredrateis0Cumulativetotalcountis1472
%ASA1733100:[Firewall]droprate1exceeded.Currentburstrateis18persecond,
maxconfiguredrateis0Currentaveragerateis2persecond,
maxconfiguredrateis0Cumulativetotalcountis1483

Note:Inthisexample,theACLdropandFirewallARIsandBRIshavebeensetto0sotheyalwaystriggerathreat.Thisiswhy
themaxconfiguredratesarelistedas0.

AdvancedThreatTCPIntercept
1. CreateanACLontheoutsideinterfacethatpermitsallTCPpacketssenttoatargetserverontheinsideoftheASA(10.11.11.11):
accesslistoutside_inextendedline1permittcpanyhost10.11.11.11
accessgroupoutside_inininterfaceoutside

2. Ifthetargetserverdoesnotactuallyexist,oritresetstheconnectionattemptsoftheattacker,configureafakeARPentryontheASA
toblackholetheattacktrafficouttheinsideinterface:
arpinside10.11.11.11dead.dead.dead

3. CreateasimpleTCPinterceptpolicyontheASA:
accesslisttcpextendedpermittcpanyany
classmaptcp
matchaccesslisttcp
policymapglobal_policy
classtcp
setconnectionconnmax2
servicepolicyglobal_policyglobal

FromanattackerontheoutsideoftheASA(10.10.10.10),usenmaptorunaTCPSYNscanagainsteveryportonthetargetserver:
nmapsST5p165535Pn10.11.11.11

NotethatThreatDetectionkeepstrackoftheprotectedserver:
ciscoasa(config)#showthreatdetectionstatisticstoptcpintercept
Top10protectedserversunderattack(sortedbyaveragerate)
Monitoringwindowsize:30minsSamplinginterval:30secs


110.11.11.11:18589outside00110.10.10.10(36secsago)
210.11.11.11:47724outside00110.10.10.10(36secsago)

http://www.cisco.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/113685asathreatdetection.html?referring_site=RE&po 6/7
9/30/2015 ASAThreatDetectionFunctionalityandConfigurationCisco
310.11.11.11:46126outside001Last:10.10.10.10(6secsago)
410.11.11.11:3695outside001Last:10.10.10.10(6secsago)

ScanningThreat
1. CreateanACLontheoutsideinterfacethatpermitsallTCPpacketssenttoatargetserverontheinsideoftheASA(10.11.11.11):
accesslistoutside_inextendedline1permittcpanyhost10.11.11.11
accessgroupoutside_inininterfaceoutside

Note:InorderforScanningThreatDetectiontotrackthetargetandattackerIPs,thetrafficmustbepermittedthroughtheASA.

2. Ifthetargetserverdoesnotactuallyexist,oritresetstheconnectionattemptsoftheattacker,configureafakeARPentryontheASA
toblackholetheattacktrafficouttheinsideinterface:
arpinside10.11.11.11dead.dead.dead

Note:Connectionsthatareresetbythetargetserverarenotcountedaspartofthethreat.

3. FromanattackerontheoutsideoftheASA(10.10.10.10),usenmaptorunaTCPSYNscanagainsteveryportonthetargetserver:
nmapsST5p165535Pn10.11.11.11

Note:T5configuresnmaptorunthescanasfastaspossible.DependingontheresourcesoftheattackerPC,thisstillmaynot
befastenoughtotriggersomeofthedefaultrates.Ifthisisthecase,simplylowertheconfiguredratesforthethreatyouwant
tosee.SettingtheARIandBRIto0causesBasicThreatDetectiontoalwaystriggerthethreatregardlessoftherate.

4. NotethataScanningthreatisdetected,theIPoftheattackeristracked,andtheattackerisshunned:
%ASA1733100:[Scanning]droprate1exceeded.Currentburstrateis17persecond,
maxconfiguredrateis10Currentaveragerateis0persecond,
maxconfiguredrateis5Cumulativetotalcountis404
%ASA4733101:Host10.10.10.10isattacking.Currentburstrateis17persecond,
maxconfiguredrateis10Currentaveragerateis0persecond,
maxconfiguredrateis5Cumulativetotalcountis700
%ASA4733102:Threatdetectionaddshost10.10.10.10toshunlist

RelatedInformation
ASAConfigurationGuide
ASACommandReference
ASASyslogGuide
TechnicalSupport&DocumentationCiscoSystems

2015Ciscoand/oritsaffiliates.Allrightsreserved.

http://www.cisco.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/113685asathreatdetection.html?referring_site=RE&po 7/7