cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
668
Views
0
Helpful
4
Replies

Very urgent case: DDOS on the outside interface using port80

b.njjad
Level 1
Level 1

dear all :

i am facing very urgent and critical DDOS on the port 80 on one of our webservers

The Case:

  • •1- Too much traffic from too many different ips around the world asking the webserver on the HTTP(80)port which is opened to any one based on our requirement. Please have a look to the attached file.
  • •2- The cisco ASA cpu was full 100% and the memory gets 2367 from 4000MB.
  • •3- The access to ASA ASDM and everything behind it was down periodically through the attack time(about two hours )

the Notices:

  • •1- ACL(Packet filtering based on the source and destination ips) is checked first on the firewall,then Service policy(More features related to the maximum incomplete ,complete per client and total TCP & UDP connections/FTP ,Http and other application layer protocols )is checked secondly.
  • •2- Service Policy is taking more CPU Load.

Previous Configuration for the service policy :

  • •1- For all HTTP opened port servers,

Per Client concurrently : maximum incomplete TCP/UDP (1000) and completeTCP/UDP (500) per client

Total TCP/UDP: Unlimtied(up to 65000 connections)

  • •2- The attacker uses too many different IPs(not repeated as shown in the attached file,that’s why the basic threat detection couldn’t shun and drop it)
  • •3- During the attack the CPU was full due to ACL processing which allows the traffic to webserver on port 80.even if I denied this traffic the CPU Load decreased to 80%,

please anybody can help the ASA CPU is overloaded and i am afraid to be crashed.i am thinking towards limiting the total TCP/UDP connections to this webserver but even that the cpu is still reaching to 90%

4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Basel,

I can understand your concern, Is there a way you can contact your ISP so you can limit that on their side ( this so the WAN link does not get oversubscriped) because even if you stop the attack on your outside interface the WAN link will be saturated already....

I mean with this kind of attacks ( a bunch of botnet devices attacking your servers ) the ASA would not be the proper tool to use, you should restrict that traffic outside the WAN pipe,

You could take captures on port 80 so you can match the patterns on the attacks ( the payload used for all of the botnet devices would be the same so you could configure an HTTP policy map matching those strings )

That and the SYN cookies would be the ways to go,

Regards,

Note: I would recommend to open a TAC case ( do you have a valid contract ? ) to work on this ASAP,

Hope that I could help

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dear Jcarvaja;

thank you very much for reply ,

my question is can the feature : "Botnet Traffic Filter " solve this case?

if we buy the license for this feature and enable it , which dynamically updates ASA signatures database with most popular attacks patterns from cisco

,Actually we found before a week some script executing on the same infected server,and the oveloading was from inside interface of that server due to sending the traffic to its Botnet Control.what we did we remove that script then i stop the outgoing traffic from the infected server since it is just web server needs to listen to port 80 not to  send any traffic .

but after that the overloading became on the outside due the previous case.

please advise .

   How the ASA Uses the Dynamic Database

The ASA uses the dynamic database as follows:

1. When the domain name in a DNS reply matches a name in the dynamic database, the Botnet Traffic Filter adds the name and IP address to the DNS reverse lookup cache.

2. When the infected host starts a connection to the IP address of the malware site, then the ASA sends a syslog message informing you of the suspicious activity and optionally drops the traffic if you configured the ASA to do so.

3. In some cases, the IP address itself is supplied in the dynamic database, and the Botnet Traffic Filter logs or drops any traffic to that IP address without having to inspect DNS requests.

in your case:

Since computers from outside are connecting to a webserver that exists behind your ASA as against computers behind your ASA connecting to bad known websites out on the internet, no dns lookup is going to happen that ASA is going to be able to inspect

Thus unless IPs that are attacking you are in the dynamic database (Point 3 as mentioned above)  I don't think botnet filtering is really going to help you

Hello Basel,

Based on the problem description, no.. It will not help,

I will recommend to follow my suggestions,

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card