Shunning

The shun command enables a dynamic response to an attacking host by dropping any defined connections and preventing new connections. An administrator or a Cisco Secure IDS device can instruct the PIX Firewall to shun the source of traffic when that source is considered malicious. The shun command-blocking function is applied whether or not a connection with the specified host address is currently active. Because the shun command is used dynamically to block attacks, it isn’t displayed in your configuration. The syntax is as follows:

Pix(config)# shun src_ip [dest_ip src_port dest_port [protocol]]
Pix(config)# no shun src_ip [dest_ip src_port dest_port [protocol]]

The show shun command lists any shunning underway, while the show shun statistics command shows the interfaces, the number of packets blocked, and how long shunning has been on.

If the shun command is used with only the source IP address, no further traffic from the offending host is allowed. The following show shun output shows other variables default to 0. Notice the PIX knew that the address to be shunned was on the inside interface.

Pix(config)# shun 192.168.1.10
Shun 192.168.1.10 successful
Pix(config)# show shun
Shun 192.168.1.10 0.0.0.0 0 0
Pix(config)# show shun statistics
outside=OFF, cnt=0
inside=ON, cnt=0
dmz=OFF, cnt=0
intf3=OFF, cnt=0
Shun 192.168.1.10 cnt=42, time=(0:05:52)
Pix(config)#

Shunning statistics are also available from PDM. The clear shun statistics command clears the counts, while clear shun removes all shunning.