cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2185
Views
10
Helpful
9
Replies

Getting DoSed on Cisco ASA 5520

manish arora
Level 6
Level 6

Hi Guys,

I am currently getting DoS/DDoS on my asa 5520 , the attacker is hitting IP's that are not even open on any port. The attack is filling up the queues on the firewall which is at 99% CPU during the attack. here's the NetFlow info that I was able to get from my ISP ( since I dont have a Router to do that ).

Any help or suggestions are welcome :-

Today :-

ip-source-address* ip-destination-address* flows     octets packets

duration

           0.0.0.0           69.x.x0.183   199 2211668224 48079744

911488

           0.0.0.0         74.x.x.168   58     562048     7936

437760

           0.0.0.0         74.x.x.221   48     447360     6400

356352

           0.0.0.0         74.x.x.244   10     197120     1280

69504

           0.0.0.0           69.x.x.186     5     189056     640

27328

Yesterday:-

ip-source-address* ip-destination-address* flows octets packets duration

         4.68.63.5           74.x.x.82     1   7168     128     8000

     151.164.190.66           74.x.x.82     1   7168     128     8832

       71.5.178.114           74.x.x.82     1   7168     128       0

     89.33.218.115           74.x.x.82     1   7168     128       64

         148.74.3.5           74.x.x.82     1   7168     128     4160

   123.139.188.194           74.x.x.82     1   7168     128       0

         88.84.49.9           74.x.x.82     1   7168     128      0

     59.145.102.133           74.x.x.82     1   7168     128       0

       77.7.181.132           74.x.x.82     1   7168     128       0

       98.93.46.126           74.x.x.82     1   6912     128     448

       71.195.27.88          74.x.x.82     1   5888     128       0

   133.145.155.168           74.x.x.82     1   5888     128       0

Thanks

Manish

9 Replies 9

Thanks MV , I have tried that , infact the IP that is under attack is not even open the Firewall accesslist. Its just the amount of traffic that is overwhelming my 5520 right now which starts to Tail drop packets its unable to process.

Manish

Hi Manish,

This is interesting. I believe, Unless a flow/connection open thru which the hacker able to reach the respurces, it is hard to surge ASA processes to 99% . I have no doubt on your findings, but are you sure this is what is causing your ASA CPU to 99%? You may need to look into IPS solution or reachout to IPs (you observed in logs) provider and report an abuse. Lets see if experts/Cisco gurus suggests any other solution.

Thx

MS

a.matahen
Level 1
Level 1

I totally agree with mvsheik123 do u have a lengthy outside acl? I would say check what process is consuming the CPU and based on that we will see what can b done!

Hi mv/a.mata,

Yes, I was as surpriced as you guys are. I am running 8.2(0) and have  36 lines in the access list on the outside interface.

Yesterday when I got slammed on the Domain it was from all over the world , I signed up for an expensive DDoS protection server and survied, today the guy/guys just used a Source IP of 0.0.0.0 and attacked the Next possible IP in my Range which is not open on any port in my Firewall. Filled up the Interface queue on the FW and everything else started to Tail Drop. he is using multiple flows of big packets with 128 packets per IP.

I asked my ISP to block 0.0.0.0/32 but he was scared to do that fearing it will do something to their Default route etc. anyways, I managed to Null my own IPs survive for right now till attacker changes the IP again.

I am working on some other non-tech to avoid this person but was wondering how you guys safe guard again these issues. I mean i would most likely redesign Datacenter if need with better equipment like using cisco Guard etc if that the industry Norm.

Thanks for all your help.

Manish

Hi Manish,

Your ISP can safely deny any requests originated with source 0.0.0.0 to your subnet on their router interface pointing to your handoff/infra.  I don't see any issue with that. Incase if ISP do not want to make any changes- IPS may be your option. You can also try basic security configs on ASA- 8.0 has 'ip verify reversepath interface' & ip audit (basic IPS) options available. Once again, the traffic still needs to hit ASA for inspection. As i mentioned in my first reply- lets see if any experts shed some light on this kind of scenario. Hopefully, we learn some good security practices that we are not aware of .

Thx

MS

Patrick0711
Level 3
Level 3

Remember, the packets still need to be processed in the session management, even if they're denied.  In this case, the number of ACL lookups that the firewall has to perform is causing the CPU to spike.  There's little you can do on the ASA in this scenario since the source IPs are spoofed.  As mentioned above, your ISP should be able to do something about routing packets with a 0.0.0.0 address (which i would imagine they should already be doing) if that is the only source.

Patrick0711
Level 3
Level 3

*session management path

Thank you  Mv & Patrick,

I was able to convince the ISP to block 0.0.0.0/32 and got Ddos protection for the time being. But I was wondering if anyone of you used the Cisco Guard ( or even the Guard Card in chasis based devices like 6509 etc ).

I have to build a new network for a small startup and they cant afford to be taken down by their Competitors using Botnet Traffic etc. Any suggestions are welcome.

Thanks again

Manish

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: