topic Re: Firepower 2100 with ASA software ( SYN Attack ) in Network Security

Firepower 2100 with ASA software ( SYN Attack )

Moneta82 — Tue, 24 Dec 2019 11:13:58 GMT

Hi guys,

I'm running a firepoower 2100 with asa image 9.12.2.

An interface of the firewall is connected to production network in a uncontrolled space. For this reason I was trying to check some sort of network attack on that interface to double check my production network security.

I was able to pass all my test except for a syn flood attack. During the attack my ASA get stuck on 100% CPU. The attack was tracked, the IP address of the attacker was shun, but the FW remain stuck at 100%.

My asa config is the following:

threat-detection basic-threat
threat-detection scanning-threat shun duration 240
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

class-map PROD-class-TCP
match access-list PROD_mpc

Policy-map PROD-policy-TCP
description TCP Intercept
class PROD-class-TCP
set connection embryonic-conn-max 20 per-client-embryonic-max 5

service-policy PROD-policy-TCP interface PROD

same-security-traffic permit inter-interface
access-list PROD_mpc extended permit tcp 192.168.100.0 255.255.255.0 host 192.168.10.35

On my PROD NET I connect a Kali linux VM and I launched this command: hping3 -c 15000 -d 120 -S -w 64 -p 8080 --flood 192.168.10.35

Any advice?

Best regards

Raffaele

Re: Firepower 2100 with ASA software ( SYN Attack )

balaji.bandi — Tue, 24 Dec 2019 12:39:35 GMT

what is your KALI IP address. ?

here is the good document and verification, your config ok, but make sure Kali not in trusted device ?

https://integratingit.wordpress.com/2018/01/07/prevent-tcp-attacks-on-cisco-asa/

Also check with : is this process is same ?

show processes cpu-usage sorted non-zero

Re: Firepower 2100 with ASA software ( SYN Attack )

Moneta82 — Tue, 24 Dec 2019 13:52:22 GMT

@balaji.bandi wrote:
what is your KALI IP address. ?

here is the good document and verification, your config ok, but make sure Kali not in trusted device ?
https://integratingit.wordpress.com/2018/01/07/prevent-tcp-attacks-on-cisco-asa/

Also check with : is this process is same ?

show processes cpu-usage sorted non-zero

Hi Balaji,

thanks for the link, the configuration proposed is the pretty much the same of mine poste above.

My Kali Ip is 192.168.100.200 and I'm attaking the 192.168.10.35

and here the output reqested:

ciscoasa# show processes cpu-usage sorted non-zero
Hardware: FPR-2120
Cisco Adaptive Security Appliance Software Version 9.12(2)
ASLR enabled, text region aab8237000-aabca09c34
PC Thread 5Sec 1Min 5Min Process
- - 12.5% 7.1% 2.7% DATAPATH-6-1463
- - 12.4% 7.1% 2.7% DATAPATH-0-1457
- - 12.4% 7.1% 2.7% DATAPATH-7-1464
- - 12.4% 7.1% 2.7% DATAPATH-1-1458
- - 12.3% 7.1% 2.7% DATAPATH-4-1461
- - 12.3% 7.1% 2.7% DATAPATH-3-1460
- - 12.3% 7.1% 2.7% DATAPATH-2-1459
- - 12.3% 7.1% 2.7% DATAPATH-5-1462
0x000000aab95c0e30 0x000000ffeaf74280 0.4% 0.2% 0.1% CP Processing
0x000000aabaf58af0 0x000000ffeaf86ce0 0.3% 0.2% 0.1% Logger

show CPU give me 100 %

Re: Firepower 2100 with ASA software ( SYN Attack )

Moneta82 — Tue, 24 Dec 2019 15:46:45 GMT

A small update.

After several tests I realized that the configuration looks good. If on the Kali Vm I launch the command hping3 -c 15000 -d 120 -S -w 64 -p 8080 192.168.10.35 without "--flood" the ASA perfectly handle the exception and the embryonics connection. CPU run smooth and other traffic flow normally

The issue seems to be related to the flood commands that send several packets every second but I'm stunned that that kind of machine ( 2120 ) can't handle that kind of load. There's somenthing missing I hope.

Raffaele

Re: Firepower 2100 with ASA software ( SYN Attack )

balaji.bandi — Tue, 24 Dec 2019 16:54:57 GMT

as per my understanding, we use always

--flood = Sending packets as fast as possible, without taking care to show incoming replies. Flood mode.

this always used in my testing with random source, that means kali generates different IP address with SYN Attack. this more of stress test for web servers - same the way you do.

Re: Firepower 2100 with ASA software ( SYN Attack )

Moneta82 — Wed, 25 Dec 2019 17:35:18 GMT

A small update after few tests. The CPU stuck at 100% seems to be not due to neither the thread detection policy nor the TCP inspection.

I simply disabled the two check and block all the incoming traffic on the external interface with an ACL ( deny IP any any ).

Once issued the usual flood command on the kali machine placed on the external interface ( where the Deny IP any any is deployed ) the firewall CPU rised up to 100% and the firewall has stopped to work.

Someone can help me? I can't belive that it's so simple to have a DoS attack to this firewall.

Thanks

Re: Firepower 2100 with ASA software ( SYN Attack )

Moneta82 — Sun, 05 Jan 2020 09:19:26 GMT

I'm still stuck with this behaviour.

In the next few days, I'll have to open a TAC case I suppose to try to solve it before in production.

Any other input is really much appreciated.

Thanks

Re: Firepower 2100 with ASA software ( SYN Attack )

balaji.bandi — Sun, 05 Jan 2020 15:29:34 GMT

At this stage not much input I can provide, suggest to raise a TAC, they can have access to your Device and collect the information and suggest the solution.

Re: Firepower 2100 with ASA software ( SYN Attack )

Moneta82 — Thu, 09 Jan 2020 22:03:41 GMT

I had a TAC with a Cisco Engineer.

This firewall can't handle correctly this kind of attack. During the attack the CPU rise up to 100% due to a quantity of SYS packet even enabling the thread detection ( with shun ) or using a service-policy limiting the embryonic-connection.

Even with a "deny any any" ACL the firewall perform in this way because, as the engineer told me, not using the fast path but it's check each packet against the CPU, so many packets lead to high CPU use.

I'm quite disappointed because I can freeze a quite big machine with an old PC running a VM with kali but the no more thing to do.

Thanks anyway for the help