Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2218
Views
0
Helpful
1
Replies

ASA 5520 interface overrun

rretanag099
Level 1
Level 1

‎02-24-2011 11:14 AM - edited ‎03-11-2019 12:56 PM

Hi everyone,

  Recently our network experience a Internal DoS attack. One internal server ( the network/security team doesnt have any access to the adninistration of these server) starts to send a lot of DNS bogus request to some DNS servers on the Internet. With sh conn detail we saw the IP of these server and blocked it with an ACL in the Internal ASA 5520 interface. After that, the server team disconnect the server, and made their job cleaning these infected device.  Everything goes normal again....

  Today, the same server starts again with the same problem. But a lot  worst thant the first time. The ASA starts to drops packets in the internal interface, the overruns was increasing dramatically ( like 10000 per second), the asp-drop table shows the same amount of traffic than interface overruns in the ACL-Drop line , and the CNT blocks for  16xxx with sh blocks was in zero. The sh acess-list INSIDE shows near 9 million hints in the line that deny the DNS request from the server to the Internet. Again, we disconnect the server and the problem was solved by the server team.

  It seems that our ASA cant handle in their internal interface the amount of traffic that these server send outbound. IS there anyway to raise the blocks in the firewall?  What is the best way to deny the servers connections ( ACL, or MPF or threat detection maybe), and avoid the ASA interface overruns even when the server sends these large amount of request.

  Regards.

Labels:
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎02-28-2011 06:12 AM

Hello,

Take a look at this document, it describes some ways to diagnose and mitigate oversubscription on the ASA:

https://supportforums.cisco.com/docs/DOC-12439

Hope that helps.

-Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card