Attacks that simply overload the ASA

The_Gatsu — Tue, 12 Mar 2019 01:40:24 GMT

We have an ASA 5505 and we keep getting short bursts of ICMP packets (5000 in one second) They will do this and it just simply overloads the ASA and it crashes.

Is this since it is 1000 past the 4000 connections per second capacity of the ASA 5505 or do we have a setting wrong some place that could prevent this type of overload from happening?

We are looking to prevent DoS and other attacks that prevent even a short loss of connection since the servers are getting attacked daily and we have voice streaming on through the ASA.

Result of the command: "show running-config"

ASA Version 8.3(1)

firewall transparent

hostname XXXXXXXXXXXX

domain-name XXXXXXXXXXXX.com

enable password XXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXX encrypted

names

interface Vlan1

nameif outside

security-level 0

interface Vlan2

nameif inside

security-level 100

interface Ethernet0/0

interface Ethernet0/1

switchport access vlan 2

interface Ethernet0/2

switchport access vlan 2

interface Ethernet0/3

switchport access vlan 2

interface Ethernet0/4

switchport access vlan 2

interface Ethernet0/5

switchport access vlan 2

interface Ethernet0/6

switchport access vlan 2

interface Ethernet0/7

switchport access vlan 2

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server XXX.XXX.XXX

domain-name privatedns.com

object network XXX.XXX.XXX

host XXX.XXX.XXX

object network server2

host XXX.XXX.XXX

object network server1

host XXX.XXX.XXX

object-group network www_servers

description Serveurs web

network-object host XXX.XXX.XXX

network-object object XXX.XXX.XXX

object-group service www_srv tcp

description les services www tcp

port-object eq ftp

port-object eq ssh

port-object eq www

port-object eq https

port-object eq 3389

object-group service www_srv_udp udp

description les services udp

port-object eq 3389

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_1

network-object host XXX.XXX.XXX

object-group icmp-type DM_INLINE_ICMP_1

icmp-object traceroute

icmp-object echo

object-group network Whitelist

description Allowed External Hosts

network-object host XXX.XXX.XXX.XXX

network-object object 2server

network-object object 1server

access-list outside_in extended permit ip object-group Whitelist object-group www_servers

access-list outside_in extended permit icmp host XXX.XXX.XXX.XXX any

access-list outside_in extended permit icmp any object-group www_servers object-group DM_INLINE_ICMP_1

access-list outside_in extended permit tcp any object-group www_servers eq imap4

access-list outside_in extended permit tcp any object-group www_servers eq 465

access-list outside_in extended permit tcp any object-group www_servers eq 587

access-list outside_in extended permit tcp any object-group www_servers eq 993

access-list outside_in extended permit tcp any object-group www_servers eq 995

access-list outside_in extended permit tcp any object-group www_servers eq 2021

access-list outside_in extended permit tcp any object-group www_servers eq 52258

access-list outside_in extended permit tcp any object-group www_servers eq 21111

access-list outside_in extended permit tcp any object-group www_servers eq 31133

access-list outside_in extended permit tcp any object-group www_servers eq 8290

access-list outside_in extended permit tcp any object-group www_servers eq 8191

access-list outside_in extended permit tcp any object-group www_servers eq 8221

access-list outside_in extended permit tcp any object-group www_servers range 5000 5100

access-list outside_in extended permit tcp any object-group www_servers eq 2238

access-list outside_in extended permit object-group TCPUDP any object-group www_servers range 62338 64838

access-list outside_in extended permit tcp any object-group www_servers eq 41234

access-list outside_in extended permit object-group TCPUDP any object-group www_servers range 7000 7500

access-list outside_in extended permit object-group TCPUDP any object-group www_servers range 20 21

access-list outside_in extended permit object-group TCPUDP any object-group www_servers range 9000 9500

access-list outside_in remark switch

access-list outside_in extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_1 host 224.0.0.2 eq 1985

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list global_mpc extended permit ip object-group Whitelist any

pager lines 24

logging enable

logging list e-mail-notification level critical

logging list e-mail-notification message 713050

logging list e-mail-notification message 611101-611102

logging buffered warnings

logging asdm warnings

logging mail emergencies

logging from-address email1@email.com

logging recipient-address email1@email.com level warnings

logging recipient-address email2@email.com level emergencies

logging message 733102 level emergencies

logging message 733100 level emergencies

mtu outside 1500

mtu inside 1500

ip address XXX.XXX.XXX.XXX 255.255.255.224

ip audit name Attack attack action alarm drop

ip audit interface outside Attack

ip audit attack action alarm drop

icmp unreachable rate-limit 1 burst-size 1

icmp permit host XXX.XXX.XXX.XXX echo outside

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

access-group outside_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh scopy enable

ssh timeout 1

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address XX.XX.XXX.XXX 255.255.255.255

threat-detection scanning-threat shun duration 3600

threat-detection statistics host number-of-rate 3

threat-detection statistics port number-of-rate 3

threat-detection statistics protocol number-of-rate 3

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server XXX.XXX.XXX.XXX source outside prefer

class-map global-class

description Flooding

match any

class-map global-class1

match access-list global_mpc

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global-policy

description Flooding

class global-class1

set connection advanced-options tcp-state-bypass

class global-class

set connection embryonic-conn-max 100 per-client-max 30 per-client-embryonic-max 10

policy-map flood

service-policy global-policy global

smtp-server XXX.XXX.XXX

prompt hostname context

hpm topN enable

Cryptochecksum:394907dc0408efcd8628b56dd2464b65

: end

Attacks that simply overload the ASA

Rudy Sanjoko — Wed, 08 May 2013 07:50:09 GMT

If it's only icmp packet, you can try adding following commands:

icmp permit any unreachable outside

icmp deny any outside

so it will only allow ping/icmp packet from host x.x.x.x and deny the rest.

Attacks that simply overload the ASA

Julio Carvajal — Wed, 08 May 2013 16:37:48 GMT

Hello ,

I would actually recommend you to go to your ISP and explain them what is going on so they can avoid that traffic to waste your bandwith,

Regards,

Julio Carvajal

topic Attacks that simply overload the ASA in Network Security

Attacks that simply overload the ASA

Attacks that simply overload the ASA

Attacks that simply overload the ASA