Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
173
Views
1
Helpful
2
Replies

Firewall High CPU utilization due to spurious traffic

JITINKALYANI
Level 1
Level 1

‎05-10-2024 04:02 AM

JITINKALYANI_0-1715338836848.png

Situation:-

  • Server Will have a private IP natted with a public IP from firewall
  • Firewall outside interface will have a public IP of same pool
  • All incoming traffic on outside interface from internet will be blocked on firewall and only Client IP address will be whitelisted
  • Client will have access to 2-3 ports on server

Requirement:-

  • How to stop open discovery of public IP of firewall or server from spammers or hackers
  • If spammers try to send spurious traffic to server or firewall, how to avoid such traffic otherwise firewall CPU utilization will increase and bandwidth might also choke

Note – VPN is not an option

Labels:
0 Helpful
2 Replies 2

MHM Cisco World
VIP
VIP

‎05-10-2024 04:21 AM - edited ‎05-10-2024 04:47 AM

Why you not use ACL applying to Outside interface direction IN allow any to real server IP(private IP) for specific ports.

That prevent any access to server for any other udp/tcp port and also icmp (since icmp dont have l4 ports)

For other attack you can use thread detection 

Where if  asa detect tcp  flood is reach specific number the clinet public IP will shun for specific time or forever (depending on your config)

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html

Also you can use 

Policy map to drop connection 

https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c01844881

MHM

0 Helpful

tvotna
Spotlight
Spotlight

‎05-10-2024 01:34 PM

What you described in the "situation" section is sufficient. Just open those 2-3 ports to the server and block everything else. By default ASA/FTD doesn't send ICMP unreachable or TCP RST in response to inbound requests which are blocked by the ACL, which makes "discovery" of the firewall a bit more difficult. Also, ASA/FTD doesn't listen on any port, unless explicitly configured to do so. Don't configure any other "protection", like threat detection, unless you want to shoot yourself in the foot.

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card