[c-nsp] ASA/PIX shun "feature"

[Laurent Geyer]

On 4/7/06, Jeff Kell <jeff-kell at utc.edu> wrote:
>
> Here's some food for thought, especially for anyone using "shun" as a
> perimeter defense.
>
> If you're being attacked by an IP, you apply a "shun" and no more traffic
> traverses a PIX/ASA with that source IP.  Or so  I thought.


Right, the expected behavior is  for the  src  IP  address  to  be  filtered
and  the  existing  connections  sourced  from  that host  to  be  removed
from  the  connection  table.

In the process of moving our ASA boxes into production, I have discovered
> this is not the case.  Last night one of our IDS sensors picked up a traffic
> between some inside hosts and a botnet C&C host.  A specific signature was
> triggered and fired off a "shun" of the C&C host to the ASAs.
>
> Nothing happened.
>
> Well, not as expected.  No "new" connections were allowed from that host,
> but the existing connections were unscathed.  I am 99.9% certain that our
> PIX (6.3) blocked ALL subsequent traffic with the shunned IP as a source,
> as the sensors would abruptly stop capturing traffic in the middle of the
> session, which was good for security, a bit of a pain when trying to collect
> enough intel to track down the botnet.  This was not the case with the ASA (
> 7.1(1)).  The sensor continued to log traffic for hours, the ASA clearly
> showed the shun in place but with a zero hit count.
>
> CCO says (case 603337375) this is a "feature".  I say this is a "bug" if
> not an outright security threat.  What do you think?


Sounds bogus to me. Straight from the documentation "shun  - To enable a
dynamic response to an attacking host by preventing new connections and
disallowing packets from any existing connection  use the shun command in
privileged EXEC mode."

- Laurent