Sometimes it might be possible for malicious hosts to open connections into the protected network. This could occur if the inbound access list policies are not configured correctly or tightly. As soon as these connections are noticed (after they are built), you might want to react by blocking connections coming from the malicious source address.
To do this, you could edit the access list each time the source of an attack is discovered. This would deny any future connections; xlate entries would also need to be cleared to drop existing connections. This would also quickly become an administrative burden.
A more efficient alternative is the shun command. When a shun is activated, all current connections from a malicious host can be dropped and all future connections blocked.
Connections are shunned regardless of the
Shuns can be configured through the firewall command-line interface (CLI) or through an automatic action from a Cisco Intrusion Protection System or an integrated feature such as Threat Detection. After shuns are configured, they remain in place until they are removed.
Shuns are dynamic in nature, and are not stored as a part of the firewall configuration. If the firewall loses power or reloads, any active shuns are lost. As well, shuns are not maintained in a failover firewall pair. If the units failover, any active shuns are lost.
You can use the following steps to configure a shun:
|ASA, FWSM||Firewall# shun src_ip [dst_ip sport dport [protocol]] [vlan_id]|
|PIX 6.3||Firewall# shun src_ip [dst_ip sport dport [protocol]]|
You can shun any new connections (any IP protocol) passing through the firewall originating from source address src_ip. This is most useful to stop an attack that is in progress from the source address to many destinations. Any existing connections stay up, however. Those must idle out of the xlate and conn tables normally, or you can clear any related xlate entries to manually kill the connections.
For more granular shunning, you can also identify the destination address dst_ip, the source and destination ports sport and dport, and the protocol. You can only define one shun entry per source and destination address pair. When a shun is defined, all existing and future connections are blocked until the shun is later removed.
Firewall# show shun [src_ip]
All active shuns are listed. If a specific source address src_ip is given, only shuns involving that address are shown.
As an example, the following output displays the four shuns that are currently active. The source interface is automatically determined and shown in parentheses.Firewall# show shun shun (outside) 172.21.104.93 0.0.0.0 0 0
shun (outside) 172.21.196.50 0.0.0.0 0 0
Notice in the shaded output line that an inside host has been the target of a shun. Shuns can be used on any host located on any interface. In this case, the inside host was playing the role of the malicious user, attacking hosts on the outside of the firewall.
You can monitor the activity of each active shun with the show shun statistics command. Each of the firewall interfaces are shown, along with the current shun activity. The firewall looks at its routing information to determine the interfaces where shun source addresses can be found. These interfaces are shown as "ON". A cumulative count of shunned connections is also shown.
Each configured shun is listed with its source address, a cumulative count of shunned connections, and the total elapsed time since the shun was enabled.
For example, a firewall is configured with a long list of shun commands. Notice that the outside interface, where malicious hosts on the public Internet were discovered, has had 17,184,951 shunned connections. The inside interface has had even more! In this case, a number of inside hosts have been discovered to be compromised and participating in malicious activity toward the outside network. Until these hosts can be cleaned, they have been "quarantined" through the use of firewall shuns.
Firewall# show shun statistics
Shun 172.21.96.89 cnt=32502918, time=(112:04:34)
Shun 172.21.61.83 cnt=0, time=(112:04:32)
Shun 172.21.24.79 cnt=0, time=(112:04:35)
Shun 172.21.108.68 cnt=0, time=(112:04:35)
Shun 192.168.93.16 cnt=0, time=(112:04:34)
Shun 172.21.184.106 cnt=21277328, time=(112:04:33)
Shun 192.168.97.9 cnt=0, time=(112:04:34)
Shun 172.21.184.107 cnt=21264263, time=(112:04:33)
Shun 192.168.228.11 cnt=0, time=(243:35:21)
Shun 192.168.228.12 cnt=0, time=(243:35:18)
Shun 192.168.228.13 cnt=0, time=(243:35:16)
Shun 172.21.184.108 cnt=21311395, time=(112:04:33)
Shun 192.168.228.14 cnt=0, time=(243:35:12)
Shun 192.168.228.15 cnt=0, time=(243:35:10)
Shun 172.21.72.99 cnt=334699, time=(112:04:34)
To avoid sifting through long lists of shun statistics to find a single source address, you can filter the output through the include or grep commands. In this example, only the shun for source address 172.21.72.99 is needed. It is shown to have blocked 334,699 packets, and has been active for 112 hours, 13 minutes, and 19 seconds:
Firewall# show shun statistics | include 172.21.72.99
You can remove an existing shun for a specific source address with the following global configuration command:
Firewall(config)# no shun src_ip
Printed with permission from Cisco Press. Copyright 2007. Cisco ASA, PIX, and FWSM Firewall Handbook by Dan Hucaby. For more information about this title and other similar books, please visit www.ciscopress.com.
This was first published in September 2007