network is super slow after a lot of deny tcp log in ASA 5510

nyein chan tun · ‎06-29-2011

Hi all expert,

I used the ASA 5510 and in these days, facing the problem is internet is very slow. When i check in real-time log viewer debugging, i found the following logs

6|Jun 29 2011|15:47:53|106015|123.123.123.123|416|111.222.111.222|80|Deny TCP (no connection) from

123.123.123.123/416 to 111.222.111.222/80 flags ACK on interface Inside

4|Jun 29 2011|15:47:53|106023|123.123.123.123|852|111.222.111.222|80|Deny tcp src Inside:123.123.123.123/852 dst Outside:

111.222.111.222/80 by access-group "Internal_access_in" [0x0, 0x0]

a lot of log message are come out and I notice that 111.222.111.222 ip is try to attack my network. In that moment, my network is very slow and nearly to be down. When I block with that ip by access list, network is up again. But after a few moment, attack from other ip, it's so terrible and so tired to block a lot of ip by acl.

Please give me advise how to prevent this issue.

Thanks ,

varrao · ‎06-29-2011

Hi Chan,

I would suggest you to shun the IP address on the firewall, but this attack should be mitigated on any other upstream device rather than the firewall.

shun 111.222.111.222

Hope this helps

Thanks

Varun

Thanks,
Varun Rao

nyein chan tun · ‎06-29-2011

Hi Varun,

Thanks for advise. but attacking ip is always changing from different location. How can I prevent for multiple location & IP in ASA.

Thanks,

Chan

varrao · ‎06-29-2011

Is the source IP always changing?? Or is it always sending requests for a different destination IP???

Varun

Thanks,
Varun Rao

r-reed · ‎06-29-2011

Your log show that this is being blocked on inside. Maybe

123.123.123.123 is infected?

nyein chan tun · ‎06-30-2011

Hi Varun & Reed,

Source IP is always change ( that is not our local source IP ) and Destination IP is not change. It seem like that :

4|Jun 29 2011|15:47:53|106023|123.123.123.123|852|111.222.111.222|80|Deny tcp src Inside:123.123.123.123/852 dst Outside:

111.222.111.222/80 by access-group "Internal_access_in" [0x0, 0x0]

4|Jun 29 2011|15:47:53|106023|100.200.100.200|852|111.222.111.222|80|Deny tcp src Inside:100.200.100.200/852 dst Outside:

111.222.111.222/80 by access-group "Internal_access_in" [0x0, 0x0]

Actually 111.222.111.222, 123.123.123.123 and 100.200.100.200 are not our Internal public IP. When I block 111.222.111.222, internet is ok and after a few time come from another IP. So it's terrible to monitor and try to block all IP in every time.

I try to configure in outside interface with this command " ip verify reverse-path interface outside " , and also try to block with shun command.

Please suggest me what should I do to prevent my network .

Thanks,

Chan

praprama · ‎07-08-2011

Hi Chan,

You can look into threat detection with shunning enabled as an option. But BEWARE, that can cause high CPU on the firewall and should be used only temporarily. Better to have your ISP look into it and try blocking the source of the attacks.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html

Regards,

Prapanch