cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

927
Views
0
Helpful
6
Replies
Highlighted
Beginner

network is super slow after a lot of deny tcp log in ASA 5510

Hi all expert,

I used the ASA 5510 and in these days, facing the problem is internet is very slow. When i check in real-time log viewer debugging, i found the following logs

6|Jun 29 2011|15:47:53|106015|123.123.123.123|416|111.222.111.222|80|Deny TCP (no connection) from

123.123.123.123/416 to 111.222.111.222/80 flags ACK  on interface Inside

4|Jun 29 2011|15:47:53|106023|123.123.123.123|852|111.222.111.222|80|Deny tcp src Inside:123.123.123.123/852 dst Outside:

111.222.111.222/80 by access-group "Internal_access_in" [0x0, 0x0]

a lot of log message are come out and I notice that 111.222.111.222 ip is try to attack my network. In that moment, my network is very slow and nearly to be down.  When I block with that ip by access list, network is up again. But after a few moment, attack from other ip, it's so terrible and so tired to block a lot of ip by acl.

Please give me advise how to prevent this issue.

Thanks ,

6 REPLIES 6
Highlighted
Advocate

Hi Chan,

I would suggest you to shun the IP address on the firewall, but this attack should be mitigated on any other upstream device rather than the firewall.

shun 111.222.111.222

Hope this helps

Thanks

Varun

Thanks,
Varun Rao
Highlighted

Hi Varun,

         Thanks for advise. but attacking ip is always changing from different location. How can I prevent for multiple location & IP in ASA.

Thanks,

Chan

Highlighted

Is the source IP always changing?? Or is it always sending requests for a different destination IP???

Varun

Thanks,
Varun Rao
Highlighted

Your log show that this is being blocked on inside.  Maybe

123.123.123.123 is infected?

Highlighted

Hi Varun & Reed,

             Source IP is always change ( that is not  our local source IP ) and Destination IP is not change. It seem like  that :

4|Jun 29 2011|15:47:53|106023|123.123.123.123|852|111.222.111.222|80|Deny tcp src Inside:123.123.123.123/852 dst Outside:

111.222.111.222/80 by access-group "Internal_access_in" [0x0, 0x0]

4|Jun 29 2011|15:47:53|106023|100.200.100.200|852|111.222.111.222|80|Deny tcp src Inside:100.200.100.200/852 dst Outside:

111.222.111.222/80 by access-group "Internal_access_in" [0x0, 0x0]

Actually  111.222.111.222, 123.123.123.123 and 100.200.100.200 are not our  Internal public IP. When I block 111.222.111.222,  internet is ok and  after a few time come from another IP. So it's terrible to monitor and  try to block all IP in every time.

I try to configure  in outside interface with this command " ip verify reverse-path  interface outside " , and also try to block with shun command.

Please suggest me what should I do to prevent my network .

Thanks,

Chan

Highlighted

Hi Chan,

You can look into threat detection with shunning enabled as an option. But BEWARE, that can cause high CPU on the firewall and should be used only temporarily. Better to have your ISP look into it and try blocking the source of the attacks.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html

Regards,

Prapanch

Content for Community-Ad