06-26-2008 09:21 PM - edited 03-11-2019 06:06 AM
hello security people, help me to find answer to my security question.
here is the problem: i have cisco 6506 , 48 gig. interfaces and 9 SFP,and one firewall module. one SFP interface is connected to the ISP, and gigethernet to small offices. there is some virus in some computer that blocks my bandwith from ISP. i checked with "sh int gig x/y" that upload is 90Mbs . wow!!! then i decided implement MQC based policing on gigx/y interface. after some minut there was another attack that not just lock my bandwith and also killed my cisco6506. , it was terrible... after 10-15 minut attack is stoped, i check policing with "sh policy-map int gigx/y" and saw that cisco droped 8Gbyt. hey people help to find solution, any suggestion? is there any black-list to block ip address attacker automaticaly?
Solved! Go to Solution.
06-26-2008 09:57 PM
Here are some suggestions:
1) if you have FWSM, use www.fireplotter.com trial version to profile the traffic, then you can use clear local-host
2) Use Netflow
http://www.securityfocus.com/infocus/1796
3) Try to update your systems with updated anti-virus defs, and 'detect' the worm-name exactly. Google the remediation procedure for that worm and start your work....
4) Temporarily make your firewall policy HTTP + necessary ports only (if it was not permit any any before).
Regards
Farrukh
06-27-2008 02:58 AM
No there is no such thing on the ASA to my knowledge. Maybe on the CSC module for anti-spam etc. but no on the ASA itself.
Regards
Farrukh
06-26-2008 09:57 PM
Here are some suggestions:
1) if you have FWSM, use www.fireplotter.com trial version to profile the traffic, then you can use clear local-host
2) Use Netflow
http://www.securityfocus.com/infocus/1796
3) Try to update your systems with updated anti-virus defs, and 'detect' the worm-name exactly. Google the remediation procedure for that worm and start your work....
4) Temporarily make your firewall policy HTTP + necessary ports only (if it was not permit any any before).
Regards
Farrukh
06-26-2008 10:36 PM
xm... i found that virus, there were 5 infected computers. but it is posible the system can infect again and again because i have not any access to user computers.
can firewall block that attacks itself? is there any feature like black-list?
06-27-2008 02:17 AM
well you can implement the black-list (if you know the rogue IPs) using a simple access-list.
Regards
Farrukh
06-27-2008 02:36 AM
i know it man. i ask about automatic black-lists.
06-27-2008 02:58 AM
No there is no such thing on the ASA to my knowledge. Maybe on the CSC module for anti-spam etc. but no on the ASA itself.
Regards
Farrukh
06-30-2008 06:25 PM
You could configure threat detection and have the ASA automatically shun the IP based on thresholds...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide