Cisco ASA 5510 Getting attacked, can't figure out how to stop it
Posted on 2013-02-06
Over the past few weeks, we have been getting reports of incoming calls on our Sip trunk not being able to connect. I think I finally narrowed it down and noticed that we seem to be getting attacked. My thoughts are that my ASA is being overloaded with bogus requests from port scanning attacks. When i did into the ASA logs, I show thousands of deny's from random IP's every hour. I have tried but can't seem to stop this attack. The port requests come in waves of 10 to 20 at a time. The scan will come from an ip address about 20 times and then come froma different ip. It's always a different address and most of the time a different port. Because it's so random, the basic threat detection doesn't seem to flag this as an attack.
Nothing ever seems to show up in the Cisco Shun List. Even when I force a port scan from a test website. How can I get my firewall to ignore the crap and let the good stuff in. The firewall is correctly denying all the bogus entries but I feel like that is causing the problem. I thought maybe changing the embryonic connection limits or max client connections would help. I changed the max embryonic connection to 10 but it didn't seem to help. How can I get this attack to stop or setup the asa to just ignore the crap?
Here is some of my config.
show running-config threat-detection
no threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
no threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate syn-attack rate-interval 600 average-rate 5 burst-rate 10
threat-detection scanning-threat shun
no threat-detection statistics tcp-intercept