Threat Detection

The following topics describe how to configure threat detection statistics and scanning threat detection.

Detecting Threats

Threat detection on the ASA provides a front-line defense against attacks. Threat detection works at Layer 3 and 4 to develop a baseline for traffic on the device, analyzing packet drop statistics and accumulating “top” reports based on traffic patterns. In comparison, a module that provides IPS or Next Generation IPS services identifies and mitigates attack vectors up to Layer 7 on traffic the ASA permitted, and cannot see the traffic dropped already by the ASA. Thus, threat detection and IPS can work together to provide a more comprehensive threat defense.

Threat detection consists of the following elements:

  • Different levels of statistics gathering for various threats.

    Threat detection statistics can help you manage threats to your ASA; for example, if you enable scanning threat detection, then viewing statistics can help you analyze the threat. You can configure two types of threat detection statistics:

    • Basic threat detection statistics—Includes information about attack activity for the system as a whole. Basic threat detection statistics are enabled by default and have no performance impact. See Basic Threat Detection Statistics.

    • Advanced threat detection statistics—Tracks activity at an object level, so the ASA can report activity for individual hosts, ports, protocols, or ACLs. Advanced threat detection statistics can have a major performance impact, depending on the statistics gathered, so only the ACL statistics are enabled by default. See Advanced Threat Detection Statistics.

  • Scanning threat detection, which determines when a host is performing a scan. You can optionally shun any hosts determined to be a scanning threat. See Scanning Threat Detection.

  • Threat Detection for VPN Services, which you can use to protect against the following types of VPN attack from IPv4 addresses:

    • Excessive failed authentication attempts to a remote access VPN, for example brute-force username/password scanning.

    • Client initiation attacks, where the attacker starts but does not complete repeated connection attempts to a remote access VPN head-end from a single host.

    • Access attempts to invalid VPN services, that is, services that are for internal use only.

    These attacks, even when unsuccessful in their attempt to gain access, can consume computational resources and in some cases result in Denial of Service. See Configure Threat Detection for VPN Services.

Basic Threat Detection Statistics

Using basic threat detection statistics, the ASA monitors the rate of dropped packets and security events due to the following reasons:

  • Denial by ACLs.

  • Bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length).

  • Connection limits exceeded (both system-wide resource limits, and limits set in the configuration).

  • DoS attack detected (such as an invalid SPI, Stateful Firewall check failure).

  • Basic firewall checks failed. This option is a combined rate that includes all firewall-related packet drops in this list. It does not include non-firewall-related drops such as interface overload, packets failed at application inspection, and scanning attack detected.

  • Suspicious ICMP packets detected.

  • Packets failed application inspection.

  • Interface overload.

  • Scanning attack detected. This option monitors scanning attacks; for example, the first TCP packet is not a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat detection takes this scanning attack rate information and acts on it by classifying hosts as attackers and automatically shunning them, for example.

  • Incomplete session detection such as TCP SYN attack detected or UDP session with no return data attack detected.

When the ASA detects a threat, it immediately sends a system log message (733100). The ASA tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst interval. The burst rate interval is 1/30th of the average rate interval or 10 seconds, whichever is higher. For each received event, the ASA checks the average and burst rate limits; if both rates are exceeded, then the ASA sends two separate system messages, with a maximum of one message for each rate type per burst period.

Basic threat detection affects performance only when there are drops or potential threats; even in this scenario, the performance impact is insignificant.

Advanced Threat Detection Statistics

Advanced threat detection statistics show both allowed and dropped traffic rates for individual objects such as hosts, ports, protocols, or ACLs.


Caution

Enabling advanced statistics can affect the ASA performance, depending on the type of statistics enabled. Enabling host statistics affects performance in a significant way; if you have a high traffic load, you might consider enabling this type of statistics temporarily. Port statistics, however, has modest impact.

Scanning Threat Detection

A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection that is based on traffic signatures, ASA threat detection scanning maintains an extensive database that contains host statistics that can be analyzed for scanning activity.

The host database tracks suspicious activity such as connections with no return activity, access of closed service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.

If the scanning threat rate is exceeded, then the ASA sends a syslog message (733101), and optionally shuns the attacker. The ASA tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst interval. The burst event rate is 1/30th of the average rate interval or 10 seconds, whichever is higher. For each event detected that is considered to be part of a scanning attack, the ASA checks the average and burst rate limits. If either rate is exceeded for traffic sent from a host, then that host is considered to be an attacker. If either rate is exceeded for traffic received by a host, then that host is considered to be a target.

The following table lists the default rate limits for scanning threat detection.

Table 1. Default Rate Limits for Scanning Threat Detection

Average Rate

Burst Rate

5 drops/sec over the last 600 seconds.

10 drops/sec over the last 20 second period.

5 drops/sec over the last 3600 seconds.

10 drops/sec over the last 120 second period.


Caution

The scanning threat detection feature can affect the ASA performance and memory significantly while it creates and gathers host- and subnet-based data structure and information.

Guidelines for Threat Detection

Security Context Guidelines

Except for advanced threat statistics and VPN services, threat detection is supported in single mode only. In Multiple mode, TCP Intercept statistics are the only statistic supported.

Types of Traffic Monitored

  • For statistics, only through-the-box traffic is monitored; to-the-box traffic is not monitored.

  • Traffic that is denied by an ACL does not trigger scanning threat detection; only traffic that is allowed through the ASA and that creates a flow is affected by scanning threat detection.

  • For VPN services, only to-the-box traffic from IPv4 addresses is monitored.

Defaults for Threat Detection

Basic threat detection statistics are enabled by default.

The following table lists the default settings. You can view all these default settings using the show running-config all threat-detection command.

For advanced statistics, by default, statistics for ACLs are enabled.

For VPN service threat detection, all services are disabled by default.

Table 2. Basic Threat Detection Default Settings

Packet Drop Reason

Trigger Settings

Average Rate

Burst Rate

  • DoS attack detected

  • Bad packet format

  • Connection limits exceeded

  • Suspicious ICMP packets detected

100 drops/sec over the last 600 seconds.

400 drops/sec over the last 20 second period.

80 drops/sec over the last 3600 seconds.

320 drops/sec over the last 120 second period.

Scanning attack detected

5 drops/sec over the last 600 seconds.

10 drops/sec over the last 20 second period.

4 drops/sec over the last 3600 seconds.

8 drops/sec over the last 120 second period.

Incomplete session detected such as TCP SYN attack detected or UDP session with no return data attack detected (combined)

100 drops/sec over the last 600 seconds.

200 drops/sec over the last 20 second period.

80 drops/sec over the last 3600 seconds.

160 drops/sec over the last 120 second period.

Denial by ACLs

400 drops/sec over the last 600 seconds.

800 drops/sec over the last 20 second period.

320 drops/sec over the last 3600 seconds.

640 drops/sec over the last 120 second period.

  • Basic firewall checks failed

  • Packets failed application inspection

400 drops/sec over the last 600 seconds.

1600 drops/sec over the last 20 second period.

320 drops/sec over the last 3600 seconds.

1280 drops/sec over the last 120 second period.

Interface overload

2000 drops/sec over the last 600 seconds.

8000 drops/sec over the last 20 second period.

1600 drops/sec over the last 3600 seconds.

6400 drops/sec over the last 120 second period.

Configure Threat Detection

Basic threat detection statistics are enabled by default, and might be the only threat detection service that you need. Use the following procedure if you want to implement additional threat detection services.

Procedure

Step 1

Configure Basic Threat Detection Statistics.

Basic threat detection statistics include activity that might be related to an attack, such as a DoS attack.

Step 2

Configure Advanced Threat Detection Statistics.

Step 3

Configure Scanning Threat Detection.

Step 4

Configure Threat Detection for VPN Services.

Configure Basic Threat Detection Statistics

Basic threat detection statistics is enabled by default. You can disabled it, or turn it on again if you disable it.

Procedure

Step 1

Enable basic threat detection statistics (if you previously disabled it).

threat-detection basic-threat

Example:


hostname(config)# threat-detection basic-threat

Basic threat detection is enabled by default. Use no threat-detection basic-threat to disable it.

Step 2

(Optional) Change the default settings for one or more type of event.

threat-detection rate {acl-drop | bad-packet-drop | conn-limit-drop | dos-drop | fw-drop | icmp-drop | inspect-drop | interface-drop | scanning-threat | syn-attack} rate-interval rate_interval average-rate av_rate burst-rate burst_rate

For a description of each event type, see Basic Threat Detection Statistics, page 8-1.

When you use this command with the scanning-threat keyword, it is also used in the scanning threat detection. If you do not configure basic threat detection, you can still use this command with the scanning-threat keyword to configure the rate limits for scanning threat detection.

You can configure up to three different rate intervals for each event type.

Example:


hostname(config)# threat-detection rate dos-drop rate-interval 600 average-rate 60 burst-rate 100

Configure Advanced Threat Detection Statistics

You can configure the ASA to collect extensive statistics. By default, statistics for ACLs are enabled. To enable other statistics, perform the following steps.

Procedure

Step 1

(Optional) Enable all statistics.

threat-detection statistics

To enable only certain statistics, enter this command for each statistic type (shown later in this procedure), and do not also enter the command without any options. You can enter threat-detection statistics (without any options) and then customize certain statistics by entering the command with statistics-specific options (for example, threat-detection statistics host number-of-rate 2). If you enter threat-detection statistics (without any options) and then enter a command for specific statistics, but without any statistic-specific options, then that command has no effect because it is already enabled.

If you enter the no form of this command, it removes all threat-detection statistics commands, including the threat-detection statistics access-list command, which is enabled by default.

Example:


hostname(config)# threat-detection statistics

Step 2

(Optional) Enable statistics for ACLs (if they were disabled previously).

threat-detection statistics access-list

Statistics for ACLs are enabled by default. ACL statistics are only displayed using the show threat-detection top access-list command.

Example:


hostname(config)# threat-detection statistics access-list

Step 3

(Optional) Configure statistics for hosts (host keyword), TCP and UDP ports (port keyword), or non-TCP/UDP IP protocols (protocol keyword).

threat-detection statistics {host | port | protocol} [number-of-rate {1 | 2 | 3}]

The number-of-rate keyword sets the number of rate intervals maintained for statistics. The default number of rate intervals is 1, which keeps the memory usage low. To view more rate intervals, set the value to 2 or 3. For example, if you set the value to 3, then you view data for the last 1 hour, 8 hours, and 24 hours. If you set this keyword to 1 (the default), then only the shortest rate interval statistics are maintained. If you set the value to 2, then the two shortest intervals are maintained.

The host statistics accumulate for as long as the host is active and in the scanning threat host database. The host is deleted from the database (and the statistics cleared) after 10 minutes of inactivity.

Example:


hostname(config)# threat-detection statistics host number-of-rate 2

hostname(config)# threat-detection statistics port number-of-rate 2

hostname(config)# threat-detection statistics protocol number-of-rate 3

Step 4

(Optional) Configure statistics for attacks intercepted by TCP Intercept.

threat-detection statistics tcp-intercept [rate-interval minutes] [burst-rate attacks_per_sec] [average-rate attacks_per_sec]

Where:

  • rate-interval sets the size of the history monitoring window, between 1 and 1440 minutes. The default is 30 minutes. During this interval, the ASA samples the number of attacks 30 times.

  • burst-rate sets the threshold for syslog message generation, between 25 and 2147483647. The default is 400 per second. When the burst rate is exceeded, syslog message 733104 is generated.

  • average-rate sets the average rate threshold for syslog message generation, between 25 and 2147483647. The default is 200 per second. When the average rate is exceeded, syslog message 733105 is generated.

To enable TCP Intercept, see Protect Servers from a SYN Flood DoS Attack (TCP Intercept).

Note

 

This command is available in multiple context mode, unlike the other threat-detection commands.

Example:


hostname(config)# threat-detection statistics tcp-intercept rate-interval 60 
burst-rate 800 average-rate 600

Configure Scanning Threat Detection

You can configure scanning threat detection to identify attackers and optionally shun them.

You can configure the ASA to send system log messages about an attacker or you can automatically shun the host. By default, the system log message 730101 is generated when a host is identified as an attacker. Be sure to except addresses from shunning when you expect a lot of messages from the host. For example, if you have enabled PIM multicast, exempt the PIM routers or PIM messages will be dropped.

Procedure

Step 1

Enable scanning threat detection.

threat-detection scanning-threat [shun [except {ip-address ip_address mask | object-group network_object_group_id}]]

By default, the system log message 733101 is generated when a host is identified as an attacker. Enter this command multiple times to identify multiple IP addresses or network object groups to exempt from shunning.

Example:


hostname(config)# threat-detection scanning-threat shun except 
ip-address 10.1.1.0 255.255.255.0

Step 2

(Optional) Set the duration of the shun for attacking hosts.

threat-detection scanning-threat shun duration seconds

Example:


hostname(config)# threat-detection scanning-threat shun duration 2000

Step 3

(Optional) Change the default event limit for when the ASA identifies a host as an attacker or as a target.

threat-detection rate scanning-threat rate-interval rate_interval average-rate av_rate burst-rate burst_rate

If you already configured this command as part of the basic threat detection configuration, then those settings are shared with the scanning threat detection feature; you cannot configure separate rates for basic and scanning threat detection. If you do not set the rates using this command, the default values are used for both the scanning threat detection feature and the basic threat detection feature. You can configure up to three different rate intervals by entering separate commands.

Example:


hostname(config)# threat-detection rate scanning-threat rate-interval 1200 
average-rate 10 burst-rate 20

hostname(config)# threat-detection rate scanning-threat rate-interval 2400 
average-rate 10 burst-rate 20

Configure Threat Detection for VPN Services

You can enable threat detection for VPN services to help prevent denial of service (DoS) attacks from IPv4 addresses. There are separate services available for the following types of attack:

  • Remote access VPN login authentication. By repeatedly starting login attempts in a password-spray attack, the attacker can consume resources used for authentication attempts, thus preventing real users from logging into the VPN.

  • Client initiation attacks, where the attacker starts but does not complete repeated connection attempts to a remote access VPN head-end from a single host. Like the password-spray attack, this attack can consume resources and prevent valid users from connecting to the VPN.

  • Attempts to connect to an invalid VPN service, that is, services that are for internal use only. An IP address that attempts this connection is immediately shunned.

When you enable these services, the system automatically shuns hosts that exceed thresholds to prevent further attempts. You can manually remove the shun using the no shun command for the address.

To manually reset the counters for the services to 0, use the clear threat-detection service command.

Before you begin

When deciding on appropriate hold-down and threshold values, consider the use of NAT in your environment. If you use PAT, so that many requests can come from the same IP address, then you should consider higher values for the authentication failure and client initiation services, to ensure valid users have enough time to complete their connections. For example, a hotel, where many customers might try connecting within very short time periods.

Procedure

Step 1

Enable threat detection for remote access VPN authentication failures.

threat-detection service remote-access-authentication hold-down minutes threshold count

Where:

  • hold-down minutes defines the hold-down period from the last failure. The threshold count of consecutive failures must be met within the hold-down period of the previous failure to trigger a shun for the attacker’s IPv4 address. For example, if the hold-down period is 10 minutes and the threshold is 20, and if there are 20 consecutive authentication failures from a single IPv4 address, and if the timespan between any two consecutive failures does not exceed 10 minutes, then the source IPv4 address will be shunned. You can specify a time between 1 and 1440 minutes.

  • threshold count defines the number of failed attempts that must occur within the hold-down period to trigger the shun. You can specify a threshold between 1 and 100.

To disable the service, use the following command:

no threat-detection service remote-access-authentication

Example:

The following example sets a metric of 10 failures within 20 minutes.


ciscoasa(config)# threat-detection service remote-access-authentication 
hold-down 10 threshold 20

Step 2

Enable threat detection for remote access VPN client initiations.

threat-detection service remote-access-client-initiations hold-down minutes threshold count

Where:

  • hold-down minutes defines the hold-down period from the last initiation. The threshold count of consecutive initiations must be met within the hold-down period of the previous initiation to trigger a shun for the client’s IPv4 address. For example, if the hold-down period is 10 minutes and the threshold is 20, and if there are 20 consecutive initiations from a single IPv4 address, and if the timespan between any two consecutive initiations does not exceed 10 minutes, then the source IPv4 address will be shunned. You can specify a time between 1 and 1440 minutes.

  • threshold count defines the number of initiations that must occur within the hold-down period to trigger the shun. You can specify a threshold between 5 and 100.

To disable the service, use the following command:

no threat-detection service remote-access-client-initiations

Example:

The following example sets a metric of 10 initiations within 20 minutes.


ciscoasa(config)# threat-detection service remote-access-client-initiations 
hold-down 10 threshold 20

Step 3

Enable threat detection for attempts to connect to invalid VPN services.

threat-detection service invalid-vpn-access

To disable the service, use the following command:

no threat-detection service invalid-vpn-access

Example:

The following example enables the Invalid VPN Access service.


ciscoasa(config)# threat-detection service invalid-vpn-access

Monitoring Threat Detection

The following topics explain how to monitor threat detection and view traffic statistics.

Monitoring Basic Threat Detection Statistics

To display basic threat detection statistics, use the following command:

show threat-detection rate [min-display-rate min_display_rate] [acl-drop | bad-packet-drop | conn-limit-drop | dos-drop | fw-drop | icmp-drop | inspect-drop | interface-drop | scanning-threat | syn-attack]

The min-display-rate min_display_rate argument limits the display to statistics that exceed the minimum display rate in events per second. You can set the min_display_rate between 0 and 2147483647.

The other arguments let you limit the display to specific categories. For a description of each event type, see Basic Threat Detection Statistics.

The output shows the average rate in events/sec over two fixed time periods: the last 10 minutes and the last 1 hour. It also shows: the current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger; the number of times the rates were exceeded (triggered); and the total number of events over the time periods.

The ASA stores the count at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the ASA calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

You can clear statistics using the clear threat-detection rate command.

The following is sample output from the show threat-detection rate command: 


hostname# show threat-detection rate

                          Average(eps)    Current(eps) Trigger         Total events
  10-min ACL  drop:                  0               0       0                   16
  1-hour ACL  drop:                  0               0       0                  112
  1-hour SYN attck:                  5               0       2                21438
  10-min  Scanning:                  0               0      29                  193
  1-hour  Scanning:                106               0      10               384776
  1-hour Bad  pkts:                 76               0       2               274690
  10-min  Firewall:                  0               0       3                   22
  1-hour  Firewall:                 76               0       2               274844
  10-min DoS attck:                  0               0       0                    6
  1-hour DoS attck:                  0               0       0                   42
  10-min Interface:                  0               0       0                  204
  1-hour Interface:                 88               0       0               318225

Monitoring Advanced Threat Detection Statistics

To monitor advanced threat detection statistics, use the commands shown in the following table. The display output shows the following:

  • The average rate in events/sec over fixed time periods.

  • The current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger

  • The number of times the rates were exceeded (for dropped traffic statistics only)

  • The total number of events over the fixed time periods.

The ASA stores the count at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the ASA calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Command

Purpose

show threat-detection statistics [min-display-rate min_display_rate] top [[access-list | host | port-protocol] [rate-1 | rate-2 | rate-3] | tcp-intercept [alldetail]]

Displays the top 10 statistics. If you do not enter any options, the top 10 statistics are shown for all categories.

The min-display-rate min_display_rate argument limits the display to statistics that exceed the minimum display rate in events per second. You can set the min_display_rate between 0 and 2147483647.

Following rows explain optional keywords.

show threat-detection statistics [min-display-rate min_display_rate] top access-list [rate-1 | rate-2 | rate-3]

To view the top 10 ACEs that match packets, including both permit and deny ACEs, use the access-list keyword. Permitted and denied traffic are not differentiated in this display. If you enable basic threat detection using the threat-detection basic-threat command, you can track ACL denies using the show threat-detection rate acl-drop command.

The rate-1 keyword shows the statistics for the smallest fixed rate intervals available in the display; rate-2 shows the next largest rate interval; and rate-3, if you have three intervals defined, shows the largest rate interval. For example, the display shows statistics for the last 1 hour, 8 hours, and 24 hours. If you set the rate-1 keyword, the ASA shows only the 1 hour time interval.

show threat-detection statistics [min-display-rate min_display_rate] top host [rate-1 | rate-2 | rate-3]

To view only host statistics, use the host keyword. Note: Due to the threat detection algorithm, an interface used as a combination failover and state link could appear in the top 10 hosts; this is expected behavior, and you can ignore this IP address in the display.

show threat-detection statistics [min-display-rate min_display_rate] top port-protocol [rate-1 | rate-2 | rate-3]

To view statistics for ports and protocols, use the port-protocol keyword. The port-protocol keyword shows statistics for both ports and protocols (both must be enabled for the display), and shows the combined statistics of TCP/UDP port and IP protocol types. TCP (protocol 6) and UDP (protocol 17) are not included in the display for IP protocols; TCP and UDP ports are, however, included in the display for ports. If you only enable statistics for one of these types, port or protocol, then you will only view the enabled statistics.

show threat-detection statistics [min-display-rate min_display_rate] top tcp-intercept [alldetail]]

To view TCP Intercept statistics, use the tcp-intercept keyword. The display includes the top 10 protected servers under attack. The all keyword shows the history data of all the traced servers. The detail keyword shows history sampling data. The ASA samples the number of attacks 30 times during the rate interval, so for the default 30 minute period, statistics are collected every 60 seconds.

show threat-detection statistics [min-display-rate min_display_rate] host [ip_address [mask]]

Displays statistics for all hosts or for a specific host or subnet.

show threat-detection statistics [min-display-rate min_display_rate] port [start_port[-end_port]]

Displays statistics for all ports or for a specific port or range of ports.

show threat-detection statistics [min-display-rate min_display_rate] protocol [protocol_number | protocol]

Displays statistics for all IP protocols or for a specific protocol.

The protocol_number argument is an integer between 0 and 255. The protocol argument can be one of ah , eigrp , esp , gre , icmp , icmp6 , igmp , igrp , ip , ipinip , ipsec , nos , ospf , pcp , pim , pptp , snp , tcp , udp .

Evaluating Host Threat Detection Statistics

The following is sample output from the show threat-detection statistics host command: 


hostname# show threat-detection statistics host

                          Average(eps)    Current(eps) Trigger         Total events
Host:10.0.0.1: tot-ses:289235 act-ses:22571 fw-drop:0 insp-drop:0 null-ses:21438 bad-acc:0
  1-hour Sent byte:               2938               0       0             10580308
  8-hour Sent byte:                367               0       0             10580308
 24-hour Sent byte:                122               0       0             10580308
  1-hour Sent pkts:                 28               0       0               104043
  8-hour Sent pkts:                  3               0       0               104043
 24-hour Sent pkts:                  1               0       0               104043
  20-min Sent drop:                  9               0       1                10851
  1-hour Sent drop:                  3               0       1                10851
  1-hour Recv byte:               2697               0       0              9712670
  8-hour Recv byte:                337               0       0              9712670
 24-hour Recv byte:                112               0       0              9712670
  1-hour Recv pkts:                 29               0       0               104846
  8-hour Recv pkts:                  3               0       0               104846
 24-hour Recv pkts:                  1               0       0               104846
  20-min Recv drop:                 42               0       3                50567
  1-hour Recv drop:                 14               0       1                50567
Host:10.0.0.0: tot-ses:1 act-ses:0 fw-drop:0 insp-drop:0 null-ses:0 bad-acc:0
  1-hour Sent byte:                  0               0       0                  614
  8-hour Sent byte:                  0               0       0                  614
 24-hour Sent byte:                  0               0       0                  614
  1-hour Sent pkts:                  0               0       0                    6
  8-hour Sent pkts:                  0               0       0                    6
 24-hour Sent pkts:                  0               0       0                    6
  20-min Sent drop:                  0               0       0                    4
  1-hour Sent drop:                  0               0       0                    4
  1-hour Recv byte:                  0               0       0                  706
  8-hour Recv byte:                  0               0       0                  706
 24-hour Recv byte:                  0               0       0                  706
  1-hour Recv pkts:                  0               0       0                    7

The following table explains the output.

Table 3. show threat-detection statistics host

Field

Description

Host

The host IP address.

tot-ses

The total number of sessions for this host since it was added to the database.

act-ses

The total number of active sessions that the host is currently involved in.

fw-drop

The number of firewall drops. Firewall drops is a combined rate that includes all firewall-related packet drops tracked in basic threat detection, including ACL denials, bad packets, exceeded connection limits, DoS attack packets, suspicious ICMP packets, TCP SYN attack packets, and UDP session with no return data attack packets. It does not include non-firewall-related drops such as interface overload, packets failed at application inspection, and scanning attack detected.

insp-drop

The number of packets dropped because they failed application inspection.

null-ses

The number of null sessions, which are TCP SYN sessions that did not complete within the 3-second timeout, and UDP sessions that did not have any data sent by its server 3 seconds after the session starts.

bad-acc

The number of bad access attempts to host ports that are in a closed state. When a port is determined to be in a null session (see the null-ses field description), the port state of the host is set to HOST_PORT_CLOSE. Any client accessing the port of the host is immediately classified as a bad access without the need to wait for a timeout.

Average(eps)

The average rate in events/sec over each time period.

The ASA stores the count at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the ASA calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Current(eps)

The current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger. For the example specified in the Average(eps) description, the current rate is the rate from 3:19:30 to 3:20:00

Trigger

The number of times the dropped packet rate limits were exceeded. For valid traffic identified in the sent and received bytes and packets rows, this value is always 0, because there are no rate limits to trigger for valid traffic.

Total events

The total number of events over each rate interval. The unfinished burst interval presently occurring is not included in the total events. The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the ASA calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

20-min, 1-hour, 8-hour, and 24-hour

Statistics for these fixed rate intervals. For each interval:

  • Sent byte—The number of successful bytes sent from the host.

  • Sent pkts—The number of successful packets sent from the host.

  • Sent drop—The number of packets sent from the host that were dropped because they were part of a scanning attack.

  • Recv byte—The number of successful bytes received by the host.

  • Recv pkts—The number of successful packets received by the host.

  • Recv drop—the number of packets received by the host that were dropped because they were part of a scanning attack.

Monitoring Scanning Threat Detection Shunned Hosts, Attackers, and Targets

To monitor and manage shunned hosts and attackers and targets for scanning threat detection, use the following commands. These commands are for scanning threat detection only and do not apply to other services.

  • show threat-detection shun

    Displays the hosts that are currently shunned. For example: 

    
hostname# show threat-detection shun

Shunned Host List:
(outside) src-ip=10.0.0.13 255.255.255.255
(inside) src-ip=10.0.0.13 255.255.255.255

  • clear threat-detection shun [ip_address [mask]]

    Releases a host from being shunned. If you do not specify an IP address, all hosts are cleared from the shun list.

    For example, to release the host at 10.1.1.6, enter the following command: 

    
hostname# clear threat-detection shun 10.1.1.6

  • show threat-detection scanning-threat [attacker | target]

    Displays hosts that the ASA decides are attackers (including hosts on the shun list), and displays the hosts that are the target of an attack. If you do not enter an option, both attackers and target hosts are displayed. For example: 

    
hostname# show threat-detection scanning-threat
Latest Target Host & Subnet List:
    192.168.1.0 (l2l)
    192.168.1.249 (l2l)
Latest Attacker Host & Subnet List:
    192.168.10.234 (outside)
    192.168.10.0 (outside)
    192.168.10.2 (outside)
    192.168.10.3 (outside)
    192.168.10.4 (outside)
    192.168.10.5 (outside)
    192.168.10.6 (outside)
    192.168.10.7 (outside)
    192.168.10.8 (outside)
    192.168.10.9 (outside)

Monitoring Threat Detection for VPN Services

You can monitor threat detection for VPN services using syslog and show commands, as explained in the following topics.

Syslog Monitoring for Threat Detection VPN Services

You might see the following syslog messages related to these services:

  • %ASA-6-733200: Threat-detection Info: message

    This message reports general informational events for threat detection.

  • %ASA-4-733201: Threat-detection: Service[service] Peer[peer]: threshold of threshold-value was exceeded. Adding shun to interface interface. Additional_message

    This message shows that the threat detection service shunned an IP address due to suspicious activity for the specified service. The message might contain additional information. For example, for RA VPN client initiation attempts, the additional information might be “SSL (or IKEv2): RA excessive client initiation requests.”

    You can see the list of shunned hosts using the show shun command. If you know the IP address is not an attacker, you can remove the shun using the no shun command.

Show Command Monitoring for Threat Detection for VPN Services

To display statistics for threat detection VPN services, use the following command:

show threat-detection service[ service] [ entries| details]

You can optionally limit the view to a particular service (remote-access-authentication , remote-access-client-initiations , or invalid-vpn-access ). You can limit the view further by adding these parameters:

  • entries —Display only the entries being tracked. For example, the IP addresses that have had failed authentication attempts.

  • details —Display both service details and service entries.

Based on selected options, the display output shows the following:

  • The name of the service

  • The state of the service: enabled or disabled

  • The service hold-down setting

  • The service threshold setting

  • Service action statistics

    • Failed—A failure occurrence when processing the reported occurrence.

    • Blocking—The reported occurrence is within the hold-down period and the threshold was met or exceeded. As a result, the service automatically installed a shun to block the mischievous peer.

    • Recording—The reported occurrence is outside of the hold-down period, or the threshold was met or exceeded. As a result, the service will record the occurrence.

    • Unsupported—The reported occurrence does not currently support automatic shunning.

    • Disabled—An occurrence was reported; but the service has been disabled.

Examples

The following example shows that all services are enabled, and potential attackers are being tracked for the remote-access-authentication service. 


ciscoasa# show threat-detection service
Service: invalid-vpn-access
    State     : Enabled
    Hold-down : 1 minutes
    Threshold : 1
    Stats:
        failed      :          0
        blocking    :          0
        recording   :          0
        unsupported :          0
        disabled    :          0
    Total entries: 0
Service: remote-access-authentication
    State     : Enabled
    Hold-down : 10 minutes
    Threshold : 20
    Stats:
        failed      :          0
        blocking    :          1
        recording   :          4
        unsupported :          0
        disabled    :          0
    Total entries: 3
Name: remote-access-client-initiations
    State     : Enabled
    Hold-down : 10 minutes
    Threshold : 20
    Stats:
        failed      :          0
        blocking    :          0
        recording   :          0
        unsupported :          0
        disabled    :          0
    Total entries: 0

The following is an example of the show threat-detection service entries command. 


ciscoasa# show threat-detection service remote-access-authentication entries
Service: remote-access-authentication
    Total entries: 2

Idx Source              Interface            Count          Age        Hold-down
--- ------------------- -------------------- -------------- ---------- ---------
  1 192.168.100.101/ 32              outside              1        721         0
  2 192.168.100.102/ 32              outside              2        486       114
Total number of IPv4 entries: 2

NOTE: Age is in seconds since last reported. Hold-down is in seconds remaining.

The following is an example of the show threat-detection service details command. 


ciscoasa# show threat-detection service remote-access-authentication details
Service: remote-access-authentication
    State     : Enabled
    Hold-down : 10 minutes
    Threshold : 20
    Stats:
        failed      :          0
        blocking    :          1
        recording   :          4
        unsupported :          0
        disabled    :          0
     Total entries: 2

Idx Source              Interface            Count          Age        Hold-down
--- ------------------- -------------------- -------------- ---------- ---------
  1 192.168.100.101/ 32              outside              1        721         0
  2 192.168.100.102/ 32              outside              2        486       114
Total number of IPv4 entries: 2

NOTE: Age is in seconds since last reported. Hold-down is in seconds remaining.

Removing Shuns Applied for VPN Service Violations

You can monitor shuns applied for VPN services, and remove shuns, using the following commands. Note that shuns applied by threat detection for VPN services do not appear in the show threat-detection shun command, which applies to scanning threat detection only.

  • show shun[ ip_address]

    Shows shunned hosts, including those shunned automatically by threat detection for VPN services, or manually using the shun command. You can optionally limit the view to a specified IP address.

  • no shun ip_address[ interface if_name]

    Removes the shun from the specified IP address only. You can optionally specify the interface name for the shun, if the address is shunned on more than one interface and you want to leave the shun in place on some interfaces.

  • clear shun

    Removes the shun from all IP addresses.

Examples for Threat Detection

The following example configures basic threat detection statistics, and changes the DoS attack rate settings. All advanced threat detection statistics are enabled, with the host statistics number of rate intervals lowered to 2. The TCP Intercept rate interval is also customized. Scanning threat detection is enabled with automatic shunning for all addresses except 10.1.1.0/24. The scanning threat rate intervals are customized. 


threat-detection basic-threat
threat-detection rate dos-drop rate-interval 600 average-rate 60 burst-rate 100
threat-detection statistics
threat-detection statistics host number-of-rate 2
threat-detection statistics tcp-intercept rate-interval 60 burst-rate 800 average-rate 600
threat-detection scanning-threat shun except ip-address 10.1.1.0 255.255.255.0
threat-detection rate scanning-threat rate-interval 1200 average-rate 10 burst-rate 20
threat-detection rate scanning-threat rate-interval 2400 average-rate 10 burst-rate 20

History for Threat Detection

Feature Name

Platform Releases

Description

Basic and advanced threat detection statistics, scanning threat detection

8.0(2)

Basic and advanced threat detection statistics, scanning threat detection was introduced.

The following commands were introduced: threat-detection basic-threat, threat-detection rate, show threat-detection rate, clear threat-detection rate, threat-detection statistics, show threat-detection statistics, threat-detection scanning-threat, threat-detection rate scanning-threat, show threat-detection scanning-threat, show threat-detection shun, clear threat-detection shun.

Shun duration

8.0(4)/8.1(2)

You can now set the shun duration,

The following command was introduced: threat-detection scanning-threat shun duration.

TCP Intercept statistics

8.0(4)/8.1(2)

TCP Intercept statistics were introduced.

The following commands were modified or introduced: threat-detection statistics tcp-intercept, show threat-detection statistics top tcp-intercept, clear threat-detection statistics.

Customize host statistics rate intervals

8.1(2)

You can now customize the number of rate intervals for which statistics are collected. The default number of rates was changed from 3 to 1.

The following command was modified: threat-detection statistics host number-of-rates.

Burst rate interval changed to 1/30th of the average rate.

8.2(1)

In earlier releases, the burst rate interval was 1/60th of the average rate. To maximize memory usage, the sampling interval was reduced to 30 times during the average rate.

Customize port and protocol statistics rate intervals

8.3(1)

You can now customize the number of rate intervals for which statistics are collected. The default number of rates was changed from 3 to 1.

The following commands were modified: threat-detection statistics port number-of-rates, threat-detection statistics protocol number-of-rates.

Improved memory usage

8.3(1)

The memory usage for threat detection was improved.

The following command was introduced: show threat-detection memory.

Threat Detection for VPN services

9.20(3)

You can configure threat detection for VPN services to protect against the following types of VPN attack from IPv4 addresses:

  • Excessive failed authentication attempts to a remote access VPN, for example brute-force username/password scanning.

  • Client initiation attacks, where the attacker starts but does not complete repeated connection attempts to a remote access VPN head-end from a single host.

  • Access attempts to invalid VPN services, that is, services that are for internal use only.

These attacks, even when unsuccessful in their attempt to gain access, can consume computational resources and in some cases result in Denial of Service.

The following commands were introduced or changed: clear threat-detection service , show threat-detection service , shun , threat-detection service .