[c-nsp] ASA shun 'bug' acknowledged
Jeff Kell
jeff-kell at utc.edu
Thu May 4 11:14:39 EDT 2006
Christian Zeng wrote:
> I do not understand why Cisco acknowledged this as a bug, because the
> behavior of the ASA is documented.
>
> Only a full qualified shun, including destination information etc., will
> drop existing connection. Subsequent connections to/from the shunned IP
> will be dropped, regardless if additional information are given to the
> shun command. Or did you see a different behavior?
Not exactly. From the command reference http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/s.htm#wp1138764:
>> The shun command allows you to apply a blocking function to the
>> interface receiving the attack. Packets containing the IP source
>> address of the attacking host are dropped and logged until the
>> blocking function is removed manually or by the Cisco IPS master
>> module. No traffic from the IP source address is allowed to traverse
>> the security appliance.
Note the last sentence.
This *was* the behavior of the shun command prior to 7.x on a PIX. Our previous 515E/6.x had no problems, the new ASA/7.x does. We have relied on this feature for bot mitigation, executing a shun on the bot C&C IP would stop communications between all infected hosts and the C&C server. But not now.
Jeff
More information about the cisco-nsp
mailing list