Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
0
Helpful
2
Replies

ASASM failing caused by DoS from single PC

Florian Pressler
Level 1
Level 1

‎06-05-2014 02:59 AM - edited ‎03-11-2019 09:17 PM

Hi,

I recently had the case at one of my customers that the ASA Service Module in their coreswitch was making trouble. The symptoms were massive packet-loss for valid connections and also problems with high-availablity (the failover-cluster fell apart multiple times, with both modules being in the same chassis).

During troubleshooting, we found one (one!) PC in a segment which had a perl-script running. The script sent loads of small UDP-packets, as much as the PC could generate. This host was located inside and tried to send to internet - those packets were denied and also generated lots of syslog-messages (because of the deny).

As soon as the host was removed from the network, the problems disappeared.

I want to ask:

  • Is this normal, expected behaviour? A single PC can knock out the ASASM?
  • What methods can you think of the mitigate this beforehand?

I searched the configuration-guide of ASASM and only found log rate-limiting, which I'd like to try out (I don't know yet if the logging was the reason for the problems at all, but I guess at the moment). Any other ideas?

Thanks,

Florian

Labels:
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎06-07-2014 09:20 AM

Hello,

 

One host, thats awful.

 

I think we should have a detailed picture of the network enviroment before answering that but I would say no.

 

In regards of how to prevent that you can use the DoS prevention techniques (TCP normalization stuff, Connection Limits and of course the Shunn feature)

 

Read on those and then determine what action should be taken,

 

Regards,

 

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Florian Pressler
Level 1
Level 1
In response to Julio Carvajal

‎06-10-2014 01:38 AM

Hi jcarvaja,

thanks for your comment.

Regarding your suggestions: TCP normalization stuff and connection limits are both not applicable. This is because the specific connection which triggered the failure was denied by the ASASM in the first place. So these techniques wouldn't come into action, because they only apply to allowed connections.

The shun feature might prevent the excessive logging (i didn't try it out). But I would still prefer a solution where i wouldn't have to run into the problem first, before I can place the counter-measure. In other words: I would like to configure the ASASM in a way which prevents it from being knocked out by a single  host.

Regards,

Florian

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card