ASA 5506-X False SYN Attack

Steve Babcock · ‎03-15-2020

ASA 5506-X running as ASA only 9.13.1

My Exchange server (192.168.1.5) is unable to connect to the 192.124.249.xxx addresses because of a perceived SYN Attack

This is preventing my SSL certificates from working properly

Is there any way to whitelist these external IP addresses ? They are valid and part of GoDaddy's CRL list

Her are the stats from : show threat-detection statistics top

<Rank> <Server IP:Port> <Interface> <Ave Rate> <Cur Rate> <Total> <Source IP (Last Attack Time)>
--------------------------------------------------------------------------------
1 123.123.123.101:443 outside 0 0 19 216.211.109.235 (0 secs ago)
2 192.124.249.36:80 inside_1 0 0 8 192.168.1.5 (3 mins ago)
3 192.124.249.41:80 inside_1 0 0 8 192.168.1.5 (2 mins ago)
4 192.124.249.22:80 inside_1 0 0 5 192.168.1.5 (4 mins ago)
5 192.124.249.23:80 inside_1 0 0 4 192.168.1.5 (3 mins ago)
6 192.124.249.24:80 inside_1 0 0 4 192.168.1.5 (3 mins ago)
7 192.124.249.31:80 inside_1 0 0 4 192.168.1.5 (3 mins ago)

Any help would be greatly appreciated

Thanks,

Steve

Cristian Matei · ‎03-16-2020

Hi,

If the connection is successful, it should not show up as "SYN Attack"; if you want to exclude a host from being shunned, use the "threat-detection scanning-threat shun except". For more reference look at this example:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html

Regards,

Cristian Matei.