Getting DoSed on Cisco ASA 5520

manish arora · ‎05-04-2012

Hi Guys,

I am currently getting DoS/DDoS on my asa 5520 , the attacker is hitting IP's that are not even open on any port. The attack is filling up the queues on the firewall which is at 99% CPU during the attack. here's the NetFlow info that I was able to get from my ISP ( since I dont have a Router to do that ).

Any help or suggestions are welcome :-

Today :-

ip-source-address* ip-destination-address* flows octets packets

duration

0.0.0.0 69.x.x0.183 199 2211668224 48079744

911488

0.0.0.0 74.x.x.168 58 562048 7936

437760

0.0.0.0 74.x.x.221 48 447360 6400

356352

0.0.0.0 74.x.x.244 10 197120 1280

69504

0.0.0.0 69.x.x.186 5 189056 640

27328

Yesterday:-

ip-source-address* ip-destination-address* flows octets packets duration

4.68.63.5 74.x.x.82 1 7168 128 8000

151.164.190.66 74.x.x.82 1 7168 128 8832

71.5.178.114 74.x.x.82 1 7168 128 0

89.33.218.115 74.x.x.82 1 7168 128 64

148.74.3.5 74.x.x.82 1 7168 128 4160

123.139.188.194 74.x.x.82 1 7168 128 0

88.84.49.9 74.x.x.82 1 7168 128 0

59.145.102.133 74.x.x.82 1 7168 128 0

77.7.181.132 74.x.x.82 1 7168 128 0

98.93.46.126 74.x.x.82 1 6912 128 448

71.195.27.88 74.x.x.82 1 5888 128 0

133.145.155.168 74.x.x.82 1 5888 128 0

Thanks

Manish

mvsheik123 · ‎05-04-2012

Check if the below links helps resolving the issue...

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

https://supportforums.cisco.com/thread/2040136

hth

MS

manish arora · ‎05-04-2012

Thanks MV , I have tried that , infact the IP that is under attack is not even open the Firewall accesslist. Its just the amount of traffic that is overwhelming my 5520 right now which starts to Tail drop packets its unable to process.

Manish

mvsheik123 · ‎05-04-2012

Hi Manish,

This is interesting. I believe, Unless a flow/connection open thru which the hacker able to reach the respurces, it is hard to surge ASA processes to 99% . I have no doubt on your findings, but are you sure this is what is causing your ASA CPU to 99%? You may need to look into IPS solution or reachout to IPs (you observed in logs) provider and report an abuse. Lets see if experts/Cisco gurus suggests any other solution.

Thx

MS

a.matahen · ‎05-04-2012

I totally agree with mvsheik123 do u have a lengthy outside acl? I would say check what process is consuming the CPU and based on that we will see what can b done!

manish arora · ‎05-04-2012

Hi mv/a.mata,

Yes, I was as surpriced as you guys are. I am running 8.2(0) and have 36 lines in the access list on the outside interface.

Yesterday when I got slammed on the Domain it was from all over the world , I signed up for an expensive DDoS protection server and survied, today the guy/guys just used a Source IP of 0.0.0.0 and attacked the Next possible IP in my Range which is not open on any port in my Firewall. Filled up the Interface queue on the FW and everything else started to Tail Drop. he is using multiple flows of big packets with 128 packets per IP.

I asked my ISP to block 0.0.0.0/32 but he was scared to do that fearing it will do something to their Default route etc. anyways, I managed to Null my own IPs survive for right now till attacker changes the IP again.

I am working on some other non-tech to avoid this person but was wondering how you guys safe guard again these issues. I mean i would most likely redesign Datacenter if need with better equipment like using cisco Guard etc if that the industry Norm.

Thanks for all your help.

Manish

mvsheik123 · ‎05-04-2012

Hi Manish,

Your ISP can safely deny any requests originated with source 0.0.0.0 to your subnet on their router interface pointing to your handoff/infra. I don't see any issue with that. Incase if ISP do not want to make any changes- IPS may be your option. You can also try basic security configs on ASA- 8.0 has 'ip verify reversepath interface' & ip audit (basic IPS) options available. Once again, the traffic still needs to hit ASA for inspection. As i mentioned in my first reply- lets see if any experts shed some light on this kind of scenario. Hopefully, we learn some good security practices that we are not aware of .

Thx

MS

Patrick0711 · ‎05-05-2012

Remember, the packets still need to be processed in the session management, even if they're denied. In this case, the number of ACL lookups that the firewall has to perform is causing the CPU to spike. There's little you can do on the ASA in this scenario since the source IPs are spoofed. As mentioned above, your ISP should be able to do something about routing packets with a 0.0.0.0 address (which i would imagine they should already be doing) if that is the only source.

Patrick0711 · ‎05-05-2012

*session management path

manish arora · ‎05-05-2012

Thank you Mv & Patrick,

I was able to convince the ISP to block 0.0.0.0/32 and got Ddos protection for the time being. But I was wondering if anyone of you used the Cisco Guard ( or even the Guard Card in chasis based devices like 6509 etc ).

I have to build a new network for a small startup and they cant afford to be taken down by their Competitors using Botnet Traffic etc. Any suggestions are welcome.

Thanks again

Manish