cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
975
Views
0
Helpful
6
Replies

DDOS attacks?

noodles44
Level 1
Level 1

hello security people, help me to find answer to my security question.

here is the problem: i have cisco 6506 , 48 gig. interfaces and 9 SFP,and one firewall module. one SFP interface is connected to the ISP, and gigethernet to small offices. there is some virus in some computer that blocks my bandwith from ISP. i checked with "sh int gig x/y" that upload is 90Mbs . wow!!! then i decided implement MQC based policing on gigx/y interface. after some minut there was another attack that not just lock my bandwith and also killed my cisco6506. , it was terrible... after 10-15 minut attack is stoped, i check policing with "sh policy-map int gigx/y" and saw that cisco droped 8Gbyt. hey people help to find solution, any suggestion? is there any black-list to block ip address attacker automaticaly?

2 Accepted Solutions

Accepted Solutions

Farrukh Haroon
VIP Alumni
VIP Alumni

Here are some suggestions:

1) if you have FWSM, use www.fireplotter.com trial version to profile the traffic, then you can use clear local-host command to clear off the sessions from the firewall

2) Use Netflow

http://www.securityfocus.com/infocus/1796

3) Try to update your systems with updated anti-virus defs, and 'detect' the worm-name exactly. Google the remediation procedure for that worm and start your work....

4) Temporarily make your firewall policy HTTP + necessary ports only (if it was not permit any any before).

Regards

Farrukh

View solution in original post

No there is no such thing on the ASA to my knowledge. Maybe on the CSC module for anti-spam etc. but no on the ASA itself.

Regards

Farrukh

View solution in original post

6 Replies 6

Farrukh Haroon
VIP Alumni
VIP Alumni

Here are some suggestions:

1) if you have FWSM, use www.fireplotter.com trial version to profile the traffic, then you can use clear local-host command to clear off the sessions from the firewall

2) Use Netflow

http://www.securityfocus.com/infocus/1796

3) Try to update your systems with updated anti-virus defs, and 'detect' the worm-name exactly. Google the remediation procedure for that worm and start your work....

4) Temporarily make your firewall policy HTTP + necessary ports only (if it was not permit any any before).

Regards

Farrukh

xm... i found that virus, there were 5 infected computers. but it is posible the system can infect again and again because i have not any access to user computers.

can firewall block that attacks itself? is there any feature like black-list?

well you can implement the black-list (if you know the rogue IPs) using a simple access-list.

Regards

Farrukh

i know it man. i ask about automatic black-lists.

No there is no such thing on the ASA to my knowledge. Maybe on the CSC module for anti-spam etc. but no on the ASA itself.

Regards

Farrukh

You could configure threat detection and have the ASA automatically shun the IP based on thresholds...

Review Cisco Networking for a $25 gift card