10-27-2014 11:55 AM - edited 03-11-2019 09:59 PM
For the last one month we have been hit by DDOS attacks that seem to be using SSDP (Port 1900 UPD). It’s just happed today and it lasted 15 mins…during which time our internet connection (Comcast Business line. 100/20 MB) came to a crawl. No one could access anything on the net.
How can I mitigate this attacks…. I have configured the ASA 5510 like this
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name OUTSIDE_ATTACK attack action alarm drop
ip audit name OUTSIDE_INFO info action alarm
ip audit name INSIDE_ATTACK attack action alarm drop reset
ip audit name INSIDE_INFO info action alarm
ip audit interface outside OUTSIDE_INFO
ip audit interface outside OUTSIDE_ATTACK
ip audit interface inside INSIDE_INFO
ip audit interface inside INSIDE_ATTACK
ip audit signature 1002 disable
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 6051 disable
ip audit signature 6053 disable
Any other tricks. More more information attacked
ATTACK Partial log.
Here is a sample of some logs I captured.
51: 11:08:44.495228 183.203.151.166.1900 > 50.XXX.XXX.XXX.80: udp 320
52: 11:08:44.495244 27.203.166.105.1900 > 50.XXX.XXX.XXX.80: udp 326
53: 11:08:44.498158 111.39.184.120.1900 > 50.XXX.XXX.XXX.80: udp 288
54: 11:08:44.501896 98.228.91.18.1900 > 50.XXX.XXX.XXX.80: udp 245
55: 11:08:44.501927 221.210.161.54.1900 > 50.XXX.XXX.XXX.80: udp 268
56: 11:08:44.502690 81.167.61.109.1900 > 50.XXX.XXX.XXX.80: udp 286
57: 11:08:44.503468 96.35.27.211.1900 > 50.XXX.XXX.XXX.80: udp 247
58: 11:08:44.503498 111.39.184.120.1900 > 50.XXX.XXX.XXX.80: udp 268
59: 11:08:44.503529 76.16.192.25.1900 > 50.XXX.XXX.XXX.80: udp 307
60: 11:08:44.504414 46.19.66.66.1900 > 50.XXX.XXX.XXX.80: udp 307
61: 11:08:44.504444 76.173.58.15.1900 > 50.XXX.XXX.XXX.80: udp 284
62: 11:08:44.505878 2.49.240.153.1900 > 50.XXX.XXX.XXX.80: udp 317
63: 11:08:44.505924 60.208.123.210.1900 > 50.XXX.XXX.XXX.80: udp 314
64: 11:08:44.506748 70.95.161.23.1900 > 50.XXX.XXX.XXX.80: udp 245
65: 11:08:44.507694 121.206.190.17.1900 > 50.XXX.XXX.XXX.80: udp 268
66: 11:08:44.507725 111.39.184.120.1900 > 50.XXX.XXX.XXX.80: udp 242
67: 11:08:44.507740 121.206.190.17.1900 > 50.XXX.XXX.XXX.80: udp 290
68: 11:08:44.507770 192.251.249.83.1900 > 50.XXX.XXX.XXX.80: udp 302
69: 11:08:44.508488 58.210.95.138.1900 > 50.XXX.XXX.XXX.80: udp 326
70: 11:08:44.508518 58.210.95.138.1900 > 50.XXX.XXX.XXX.80: udp 314
71: 11:08:44.509342 71.95.40.47.1900 > 50.XXX.XXX.XXX.80: udp 305
72: 11:08:44.509418 121.206.190.17.1900 > 50.XXX.XXX.XXX.80: udp 326
73: 11:08:44.509434 70.95.161.23.1900 > 50.XXX.XXX.XXX.80: udp 323
74: 11:08:44.509449 71.95.40.47.1900 > 50.XXX.XXX.XXX.80: udp 307
75: 11:08:44.509464 81.200.247.20.1900 > 50.XXX.XXX.XXX.80: udp 291
76: 11:08:44.510898 59.45.34.2.1900 > 50.XXX.XXX.XXX.80: udp 268
77: 11:08:44.510929 84.208.252.214.1900 > 50.XXX.XXX.XXX.80: udp 234
78: 11:08:44.510959 76.173.58.15.1900 > 50.XXX.XXX.XXX.80: udp 229
79: 11:08:44.510975 46.19.66.66.1900 > 50.XXX.XXX.XXX.80: udp 305
80: 11:08:44.511097 186.68.236.141.1900 > 50.XXX.XXX.XXX.80: udp 300
81: 11:08:44.511966 74.58.171.63.1900 > 50.XXX.XXX.XXX.80: udp 307
82: 11:08:44.511997 111.39.184.120.1900 > 50.XXX.XXX.XXX.80: udp 290
83: 11:08:44.512012 123.55.81.145.1900 > 50.XXX.XXX.XXX.80: udp 326
84: 11:08:44.512043 1.189.11.236.1900 > 50.XXX.XXX.XXX.80: udp 322
85: 11:08:44.512851 110.53.148.27.1900 > 50.XXX.XXX.XXX.80: udp 314
86: 11:08:44.512897 110.53.148.27.1900 > 50.XXX.XXX.XXX.80: udp 242
87: 11:08:44.512912 221.215.155.162.1900 > 50.XXX.XXX.XXX.80: udp 268
10-27-2014 07:57 PM
Hi,
I think the most effective way to prevent this attack would be to block this Destination UDP port on the ISP end itself if this is recurring.
Also , on the ASA device , we can set the per client max limit for this destination server , it should also help you on this issue.
As the destination IP's are different , SHUN might not be that effective.
For more information:-
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/protect.html#wp1080691
Thanks and Regards,
Vibhor Amrodia
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: