Solved: Re: DDOS protection policy in ASA-FDM.

NeerajS · ‎11-21-2018

Hello Experts,

We have a single ASA-5512 running firepower 6.2.3.x and I am currently using FDM to manage it. We have a threat license enabled. Can someone recommend how to setup policies for DOS/DDOS protection ? All i am looking to do is implement protection against volume based attacks such ping flood or http flood. I didn't find any reference to it in the FDM 6.2.3 documentation

Thanks

Neeraj

Marvin Rhoads · ‎11-22-2018

Yes you do have the basic threat-detection limits and the ability to set embryonic connections etc.

FMC 6.2.1. added a Flexconfig template as follows:

TCP Embryonic connection limit and timeout configuration template allows you to configure embryonic connection limits/timeout CLIs to protect from SYN Flood DoS Attack.

I am not sure if it's also usable in the more limited Flexconfig support that's in FDM.

Also, if you look at a base FTD config (show running-config all) you will see the following:

!
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

View solution in original post

Marvin Rhoads · ‎11-21-2018

DDOS protection is not something that's available in FTD.

For that one typically uses a third party service or, for really large enterprises, a dedicated appliance. (Something like the RADware logical device you can deploy on a Firepower 9300)

Sheraz.Salim · ‎11-22-2018

@Marvin Rhoads

Could we not use the intrusion policy rule and fine tune them?

please do not forget to rate.

Marvin Rhoads · ‎11-22-2018

To a small extent you can but it's usually more trouble than it's worth.

A true DDOS can overwhelm your Internet circuit even if you have 10 Gbps. It can also overwhelm the input interface of the appliance. For IPS policy to take effect the traffic already needs to be processed by the input interface, checked for existing connections, NAT etc.

NeerajS · ‎11-22-2018

Hi Marvin, Let me correct my request, how about basic DOS protection (not DDOS) though .

I remember in ASA we could set up embryonic connection limits to offer basic protection. Isn't that still an option if my ASA is running firepower services ? I am fine with implementing basic protection via CLI also if FTD web UI doesn't have it. Any suggestions on how to configure embryonic conn limits?