---

@balaji.bandi wrote:

what is your KALI IP address. ?

 

here is the good document and verification, your config ok, but make sure Kali not in trusted device ?

https://integratingit.wordpress.com/2018/01/07/prevent-tcp-attacks-on-cisco-asa/

 

Also check with : is this process is same ?

 

show processes cpu-usage sorted non-zero

---

Hi Balaji,

thanks for the link, the configuration proposed is the pretty much the same of mine poste above.

My Kali Ip is 192.168.100.200 and I'm attaking the 192.168.10.35

and here the output reqested:

ciscoasa# show processes cpu-usage sorted non-zero
Hardware: FPR-2120
Cisco Adaptive Security Appliance Software Version 9.12(2)
ASLR enabled, text region aab8237000-aabca09c34
PC Thread 5Sec 1Min 5Min Process
- - 12.5% 7.1% 2.7% DATAPATH-6-1463
- - 12.4% 7.1% 2.7% DATAPATH-0-1457
- - 12.4% 7.1% 2.7% DATAPATH-7-1464
- - 12.4% 7.1% 2.7% DATAPATH-1-1458
- - 12.3% 7.1% 2.7% DATAPATH-4-1461
- - 12.3% 7.1% 2.7% DATAPATH-3-1460
- - 12.3% 7.1% 2.7% DATAPATH-2-1459
- - 12.3% 7.1% 2.7% DATAPATH-5-1462
0x000000aab95c0e30 0x000000ffeaf74280 0.4% 0.2% 0.1% CP Processing
0x000000aabaf58af0 0x000000ffeaf86ce0 0.3% 0.2% 0.1% Logger

show CPU give me 100 %

A small update.

After several tests I realized that the configuration looks good. If on the Kali Vm I launch the command hping3 -c 15000 -d 120 -S -w 64 -p 8080 192.168.10.35 without "--flood" the ASA perfectly handle the exception and the embryonics connection. CPU run smooth and other traffic flow normally

The issue seems to be related to the flood commands that send several packets every second but I'm stunned that that kind of machine ( 2120 ) can't handle that kind of load. There's somenthing missing I hope.

Raffaele

as per my understanding, we use always 

--flood = Sending packets as fast as possible, without taking care to show incoming replies. Flood mode.

this always used in my testing with random source, that means kali generates different IP address with SYN Attack. this more of stress test for web servers - same the way you do.

A small update after few tests. The CPU stuck at 100% seems to be not due to neither the thread detection policy nor the TCP inspection.

I simply disabled the two check and block all the incoming traffic on the external interface with an ACL ( deny IP any any ).

Once issued the usual flood command on the kali machine placed on the external interface ( where the Deny IP any any is deployed ) the firewall CPU rised up to 100% and the firewall has stopped to work.

Someone can help me? I can't belive that it's so simple to have a DoS attack to this firewall.

Thanks

I'm still stuck with this behaviour.

In the next few days, I'll have to open a TAC case I suppose to try to solve it before in production.

Any other input is really much appreciated.

Thanks

At this stage not much input I can provide, suggest to raise a TAC, they can have access to your Device and collect the information and suggest the solution.