09-17-2012 07:01 PM - edited 03-11-2019 04:55 PM
Hi, is there a way to prevernt DOS attacks using cisco ASA?
09-17-2012 09:01 PM
Hello Gavin,
Of course it is
As a security device you can configure a maximum amount of connection per translation.
A maximum amount of embryonic connections as a total , a maximum # of embryonic per client.
You can use the TCP intercept feature so as soon as the ASA detect that you have reached the limit, the ASA will send for every new tcp SYN packet a SYN- ACK with a cookie that the client should respond in order to validate the connection.
You can use the AIP-SSM and enable the signatures for the DoS Flood packets.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml#topic1
Regards,
Julio
09-17-2012 09:26 PM
Hi
I would state that it depends.
One way to perform a DOS/DDOS attack typically involves looking through your website and finding a big file Fx a picture and just set 1000s of computers (fx botnet) to download that file.
its legit surfing but it uses up all your bandwith and things gets bogged down to less than a crawl.
Another way to perform a overflow attack is just to send enough UDP/ICMP traffic to overwhelm your link.
Then it does not matter what you do or what you have in your end since the link is already saturated when the traffic hits your firewall.
And there are many more ways to make sure that your site is either unreachable or overwhelmed
There are some features that will help you in the asa but for a serious DOS adversary you will have to work with your ISP to filter traffic going on to the link.
and ultimately there is not much you can do about it.
examples of organisations that have suffered from DOS attacks.
Estonian government
Swedish police
VISA
Swedish state radio tv
Iranian government
if you look at the lists they are pretty big companies/organisations and they are quite stocked with resources and still they can not fight it of
if you think they are not doing what they can to keep their websites open you are sadly mistaken.
That said there are some nice features in the ASA to help you mitigate DOS/DDOS threats.
but it will not protect you (nothing will) from a serious DOS/DDOS attacker.
Good luck
HTH
09-17-2012 10:04 PM
Hello Hobbe,
Agree with you I mean there is nothing we can't do on this world so as a security engineers we try to do our best to make our network as secure as possible and the ASA will allow us to mitigate this attack's with different approaches.
And of course if your link gets full of data from botnet zombies you are kind of ..... but for that you can work with your ISP.
Now on the ASA, we need to make sure we are doing our best to enforce and protect your internal network from the external users and we can make it happen with the setup I sent you before.
Regards
09-26-2013 06:17 PM
hi
if you configured netflow check the the flow, enable dns inspection and dns gurd...
you can refer http://www.cisco.com/web/about/security/intelligence/dns-bcp.html
Thanks
Pranesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide