topic Hi. in Network Security

High CPU utilization during Flooding test

Machi Ma — Tue, 12 Mar 2019 08:42:23 GMT

Hello,

I have one 5555-X firewall. Usually the CPU usage is around 25%. Recently just done using TCP flooding test. Which is simply using hping3 to produce TCP flooding forward to firewall inside interface

When initiated attack traffic I noticed very high packet drop on inside and interface and a huge spike in ACL drops. The ACL drop was due to invalid TCP packet being used in attack traffic. Keep to find log from firewall syslog

Dec 23 2016 12:32:39: %ASA-4-500004: Invalid transport field for protocol=TCP, from 1.1.1.1/44704 to 2.2.2.2/0

Dec 23 2016 12:32:39: %ASA-4-500004: Invalid transport field for protocol=TCP, from 1.1.1.1/44781 to 2.2.2.2/0

Dec 23 2016 12:32:39: %ASA-4-500004: Invalid transport field for protocol=TCP, from 1.1.1.1/44908 to 2.2.2.2/0

Dec 23 2016 12:32:39: %ASA-4-500004: Invalid transport field for protocol=TCP, from 1.1.1.1/44926 to 2.2.2.2/0

The ASA like was bombarded with high packets/sec which results in packets not being processed at the rate at which they arrive resulting in packet drop and high CPU.

Also each of the received packet by processed by CPU and discarded which again adds up to CPU spike.

That's I guess it is a reason for spike in CPU when small size and high packet rate attack. Also, during the testing I found the CPU usage raised to around 70%.

Most surprise is that why such high performance firewall will comes with worse result.

Could you please advise is it expected result? and how can improve the protection at ASA?

Thanks!

Hi.

AllertGen — Mon, 26 Dec 2016 11:36:29 GMT

Hi.

It highly depends on the level of the packet rate. What packet rate was at your test?

Just for information: http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/data-sheet-c78-729807.html

Look at the "New connections per second" line.

Best Regards.

Hello,

Machi Ma — Mon, 26 Dec 2016 15:28:19 GMT

Hello,

I saw the max incoming traffic is around 29,000 pkts/sec which I think is reach to limit of 30,000 by spec show.

However, is it CPU really high impact when over or near to limit it can handle?

Anything I can do to improvement?

Thanks!

Hi.

AllertGen — Mon, 26 Dec 2016 15:46:03 GMT

Hi.

Yes, when you're reaching limit it rises CPU. So you can use CPU stats as a indirect information about hiting a limit (for example I saw 80% CPU load at the ASA 5515-X at the 1Gbit speed of the traffic).

All you can do for rising a limit is to change device to a better one or to buy one (two, tree or more) more and do a cluster with them (in active/active mode devices are reaching 70% of total bandwith of all devices).

Best Regards.