shun
To block connections from an attacking host, use the shun command in privileged EXEC mode. To disable a shun, use the no form of this command.
shun source_ip [ dest_ip source_port dest_port [ protocol ]] [ vlan vlan_id | interface if_name ]
no shun source_ip [ vlan vlan_id | interface if_name ]
Syntax Description
dest_port |
(Optional) Specifies the destination port of a current connection that you want to drop when you place the shun on the source IP address. |
dest_ip |
(Optional) Specifies the destination address of a current connection that you want to drop when you place the shun on the source IP address. |
interface if_name |
(Optional.) Specifies the interface on which to shun the source address. |
protocol |
(Optional) Specifies the IP protocol of a current connection that you want to drop when you place the shun on the source IP address, such as UDP or TCP. By default, the protocol is 0 (any protocol). |
source_ip |
Specifies the address of the attacking host. If you only specify the source IP address, all future connections from this address are dropped; current connections remain in place. To drop a current connection and also place the shun, specify the additional parameters of the connection. Note that the shun remains in place for all future connections from the source IP address, regardless of destination parameters. |
source_port |
(Optional) Specifies the source port of a current connection that you want to drop when you place the shun on the source IP address. |
vlan vlan_id |
(Optional) Specifies the VLAN ID where the source host resides. |
Command Default
The default protocol is 0 (any protocol).
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode |
Firewall Mode |
Security Context |
|||
---|---|---|---|---|---|
Routed |
Transparent |
Single |
Multiple |
||
Context |
System |
||||
Privileged EXEC |
|
|
|
|
— |
Command History
Release |
Modification |
---|---|
7.0(1) |
This command was added. |
9.20(3) |
The interface keyword was added. |
Usage Guidelines
The shun command lets you block connections from an attacking host. All future connections from the source IP address are dropped and logged until the blocking function is removed manually or by the Cisco IPS sensor. The blocking function of the shun command is applied whether or not a connection with the specified host address is currently active.
If you specify the destination address, source and destination ports, and the protocol, then you drop the matching connection as well as placing a shun on all future connections from the source IP address; all future connections are shunned, not just those that match these specific connection parameters.
If you do not specify a VLAN or an interface, the shun interface will be determined by a route look-up for the shunned IP.
You can only have one shun command per source IP address per interface.
Because the shun command is used to block attacks dynamically, it is not displayed in the ASA configuration.
Whenever an interface configuration is removed, all shuns that are attached to that interface are also removed. If you add a new interface or replace the same interface (using the same name), then you must add that interface to the IPS sensor if you want the IPS sensor to monitor that interface.
Examples
The following example shows that the offending host (10.1.1.27) makes a connection with the victim (10.2.2.89) with TCP. The connection in the ASA connection table reads as follows:
10.1.1.27, 555-> 10.2.2.89, 666 PROT TCP
Apply the shun command using the following options:
ciscoasa# shun 10.1.1.27 10.2.2.89 555 666 tcp
The command deletes the specific current connection from the ASA connection table and also prevents all future packets from 10.1.1.27 from going through the ASA.