Basic Threat Detection Overview

Using basic threat detection, the security appliance monitors the rate of dropped packets and security events due to the following reasons:

•Denial by access lists

•Bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length)

•Connection limits exceeded (both system-wide resource limits, and limits set in the configuration)

•DoS attack detected (such as an invalid SPI, Stateful Firewall check failure)

•Basic firewall checks failed (This option is a combined rate that includes all firewall-related packet drops in this bulleted list. It does not include non-firewall-related drops such as interface overload, packets failed at application inspection, and scanning attack detected.)

•Suspicious ICMP packets detected

•Packets failed application inspection

•Interface overload

•Scanning attack detected (This option monitors scanning attacks; for example, the first TCP packet is not a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat detection takes this scanning attack rate information and acts on it by classifying hosts as attackers and automatically shunning them, for example.)

•Incomplete session detection such as TCP SYN attack detected or no data UDP session attack detected

When the security appliance detects a threat, it immediately sends a system log message (733100).

Basic threat detection affects performance only when there are drops or potential threats; even in this scenario, the performance impact is insignificant.

Configuring Basic Threat Detection

To configure basic threat detection, including enabling or disabling it and changing the default limits, perform the following steps:

Step 1 To enable basic threat detection (if you previously disabled it), enter the following command:

hostname(config)# threat-detection basic-threat

By default, this command enables detection for certain types of security events, including packet drops and incomplete session detections. You can override the default settings for each type of event if desired.

If an event rate is exceeded, then the security appliance sends a system message. The security appliance tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst interval. The burst rate interval is 1/60th of the average rate interval or 10 seconds, whichever is higher. For each received event, the security appliance checks the average and burst rate limits; if both rates are exceeded, then the security appliance sends two separate system messages, with a maximum of one message for each rate type per burst period.

To disable basic threat detection, enter the no threat-detection basic-threat command.

Step 2 (Optional) To change the default settings for one or more type of event, enter the following command:

hostname(config)# threat-detection rate {acl-drop | bad-packet-drop | conn-limit-drop |
dos-drop | fw-drop | icmp-drop | inspect-drop | interface-drop | scanning-threat |
syn-attack} rate-interval rate_interval average-rate av_rate burst-rate burst_rate

Click here for details