Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3534
Views
0
Helpful
5
Replies

DoS / DDoS pevention techniques for cisco ASA 5585-X Adaptive Security Appliance

Go to solution
asad ali
Level 1
Level 1

‎03-10-2013 11:35 PM - edited ‎03-10-2019 05:54 AM

I want to ask this community on how does a cisco asa 5585-x firewall with a bultin IPS module (AIP) would detect DoS / DDoS signatures. My concept or knowledge says that for above mentioned devices , its way to detecting between the two varies about the types of singatures set avaiable to it at the time of attack.

For e.g if the device has to catch something similar to Conficker it need the certain signature to identiy the bot-net infection spreading through a planeted worm or a script running at infected attacked networks servers.

Does this same logic or methodolgy applies in case detecting DoS attacking consdiering it has a smaller scope as it detects attacks which are lets say targeted to a certain web-url (http://xy.com/abc) infecting just one part of the system. How does cisco 5585-x would qualify such an attack.?

I know there is a feature called as rate limiting that detects such attacks, but does it applies only in case when there is no signature avaiable. By asking this, I want to draw a line how does the device differenitate between the attacks, because one thing that i think is common is that if the rate limiting feature is avaiable it would detect both(dos / DDoS) using the same techniques, but for like proper classification it would match it with its signature base?

Kindly let me know if my assumptions are concept regarding this topic.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to asad ali

‎03-15-2013 04:24 PM

Hello Asad,

Exactly it has to built it own database.

We offer you the opportunity to use several signatures to determine whether a Scanning is happening or not ( A flooding of different or the same traffic will be detected, you can tune it to fit your needs)

We can also use the global correlation inteligence system that will allow your sensor to participate on a database that is handled by Cisco to determine malicious activity.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎03-14-2013 08:45 PM

Hello Sr,

Good question and I am sure that this will lead to a nice discussion as there is a lot of stuff to work with.

First of all are you refering to the AIP module on this ASA itself or can we mention the ASA benefits on this particular attacks??

Regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
asad ali
Level 1
Level 1
In response to Julio Carvajal

‎03-14-2013 10:14 PM

Thanks for replying me back.

Yes I'm reffering to AIP module included in CISCO asa 5885 itself.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_bulletin_c25-614415.html

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to asad ali

‎03-14-2013 11:26 PM

Hello,

Okay so we are just going to focus on the SSP ( No the ASA at all)

First of all you can set a baseline of what your network traffic is by using the anomaly detection feature ( So the IPS will learn what is normal and as soon as he detects something that is not normal, it will do something, trigger an alert,etc)

We can also have several signatures used to detect this attacks as you already know ( Some of this signatures of course are rate limiting)

Its quite late on my time zone So I am dead Let me know what specific question I can answer for you and I will do that in the morning

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
asad ali
Level 1
Level 1
In response to Julio Carvajal

‎03-15-2013 01:19 AM

Thank you for writing so late .

Using the anomaly detection feature at which point SSP would classify or differentiate a DoS attack from DDoS attack considering.

The other problem with anomaly detection for it to be effective you have to make the system learn "clean / good" behavior in a clean environment so it doesn't learn bad patterns and thus increasing your chances of hit by false negatives.

Like for incident response plan and also for mitigation purposes considering the alerts are feeded into SIEM i want to flag DoS and DDoS attacks separately.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to asad ali

‎03-15-2013 04:24 PM

Hello Asad,

Exactly it has to built it own database.

We offer you the opportunity to use several signatures to determine whether a Scanning is happening or not ( A flooding of different or the same traffic will be detected, you can tune it to fit your needs)

We can also use the global correlation inteligence system that will allow your sensor to participate on a database that is handled by Cisco to determine malicious activity.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card