If this really is an attack

William Gill · ‎04-03-2014

We are receiving thousands of "Deny inbound UDP from x.x.x.x/53 to x.x.x.x/2713 due to DNS Response" per minute on our ASA 5510. All of the responses are destined to a signal one of our external IP's. This is overloading the our ASA and preventing traffic getting out to the Internet during these attacks. Anyone have any suggestions as to what we can do to mitigate this problem? Thanks

Seb Rupik · ‎04-04-2014

Hi William,

if the traffic is hitting your ASA then there is nothing you can do at that location. Do you have a router which you adminster upstream of it? If so, look at using CAR:

http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-122-mainline/12764-car-rate-limit-icmp.html

Failing that, your ISP should be able to assit in either to configure rate limiting to your external address, or block the UDP traffic to it.

cheers,

Seb.

William Gill · ‎04-07-2014

The Cisco TAC - Engineer we spoke to recommended we allow any any udp port 53 inbound to correct the problem. I don't see how allowing udp port 53 traffic into our network would solve the problem but it with stop the deny messages. Does this sound like a good idea?

Seb Rupik · ‎04-10-2014

If this really is an attack then allowing the traffic into your network is not the correct action!

How is the problem manifesting itself? If the outbound link is being saturated with traffic then talk to your ISP

If you think the volume of syslog messages on your ASA is causing a performance problem, then you can configure the message ID to appear at a higher syslog level so that it does not appear at your current logging level. Obviously this would be in effect for all messages of this type so you may not be aware of similar attacks taking place.

Talk to your ISP :)

cheers,

Seb.

Deny inbound UDP flood