cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
247
Views
1
Helpful
2
Replies

Firewall High CPU utilization due to spurious traffic

JITINKALYANI
Level 1
Level 1

JITINKALYANI_0-1715338836848.png

Situation:-

  • Server Will have a private IP natted with a public IP from firewall
  • Firewall outside interface will have a public IP of same pool
  • All incoming traffic on outside interface from internet will be blocked on firewall and only Client IP address will be whitelisted
  • Client will have access to 2-3 ports on server

Requirement:-

  • How to stop open discovery of public IP of firewall or server from spammers or hackers
  • If spammers try to send spurious traffic to server or firewall, how to avoid such traffic otherwise firewall CPU utilization will increase and bandwidth might also choke

Note – VPN is not an option

2 Replies 2

Why you not use ACL applying to Outside interface direction IN allow any to real server IP(private IP) for specific ports.

That prevent any access to server for any other udp/tcp port and also icmp (since icmp dont have l4 ports)

For other attack you can use thread detection 

Where if  asa detect tcp  flood is reach specific number the clinet public IP will shun for specific time or forever (depending on your config)

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html

Also you can use 

Policy map to drop connection 

https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c01844881

MHM

tvotna
Spotlight
Spotlight

What you described in the "situation" section is sufficient. Just open those 2-3 ports to the server and block everything else. By default ASA/FTD doesn't send ICMP unreachable or TCP RST in response to inbound requests which are blocked by the ACL, which makes "discovery" of the firewall a bit more difficult. Also, ASA/FTD doesn't listen on any port, unless explicitly configured to do so. Don't configure any other "protection", like threat detection, unless you want to shoot yourself in the foot.

 

Review Cisco Networking for a $25 gift card