I manage an equipment demo network accessed via the old Cisco VPN Client. Last night the router seems to have become the subject of attacks that overload the remote access in such a ways as to deny legitimate remote access. No unauthorised remote logins have occurred but the continued connections are a DoS.
Using the command show aaa user all show dozens of connections like this:
Unique id 67 is currently in use. Accounting: log=0x18001 Events recorded : CALL START INTERIM START INTERIM STOP update method(s) : NONE update interval = 0 Outstanding Stop Records : 0 Dynamic attribute list: 66534E00 0 00000001 connect-progress(36) 4 No Progress 66534E14 0 00000001 pre-session-time(254) 4 19965(4DFD) 66534E28 0 00000001 elapsed_time(324) 4 0(0) 66534E3C 0 00000001 pre-bytes-in(250) 4 0(0) 66534E50 0 00000001 pre-bytes-out(251) 4 0(0) 66534E64 0 00000001 pre-paks-in(252) 4 0(0) 66534E78 0 00000001 pre-paks-out(253) 4 0(0) No data for type EXEC No data for type CONN NET: Username=(n/a) Session Id=00000040 Unique Id=00000043 Start Sent=0 Stop Only=N stop_has_been_sent=N Method List=0 Attribute list: 66534E00 0 00000001 start_time(327) 4 Dec 16 2016 14:54:43 66534E14 0 00000001 session-id(322) 4 64(40) No data for type CMD No data for type SYSTEM No data for type RM CALL No data for type RM VPDN No data for type AUTH PROXY No data for type CALL No data for type VPDN-TUNNEL No data for type VPDN-TUNNEL-LINK No data for type 11 No data for type IPSEC-TUNNEL No data for type 13 No data for type RESOURCE Debg: No data available Radi: No data available Interface: TTY Num = -1 Stop Received = 0 Byte/Packet Counts till Call Start: Start Bytes In = 0 Start Bytes Out = 0 Start Paks In = 0 Start Paks Out = 0 Byte/Packet Counts till Service Up: Pre Bytes In = 0 Pre Bytes Out = 0 Pre Paks In = 0 Pre Paks Out = 0 Cumulative Byte/Packet Counts : Bytes In = 0 Bytes Out = 0 Paks In = 0 Paks Out = 0 StartTime = 14:54:43 UTC Dec 16 2016 Component = VPN_IPSEC Authen: service=LOGIN type=ASCII method=LOCAL Kerb: No data available Meth: No data available Preauth: No Preauth data. General: Unique Id = 00000043 Session Id = 00000040 Attribute List: 66534E00 0 00000001 port-type(162) 4 Virtual Terminal 66534E14 0 00000009 interface(158) 13 W.X.Y.Z PerU: No data available Service Profile: No Service Profile data.
Where W.X.Y.Z is the IP address of the attacker.
I've added a temporary ACL on the class A subnet from where the attacks originate to the public interface of the router but it has no effect:
interface FastEthernet0/1 description Outside interface ip address .... .... ip access-group 101 in no ip redirects no ip unreachables ip nat outside
access-list 101 remark temporary attack block attack access-list 101 deny ip W.0.0.0 0.255.255.255 any access-list 101 permit ip any any
The relevant local AAA config is:
aaa new-model ! aaa authentication login default local aaa authentication login vpn_xauth_ml_1 local aaa authentication login sslvpn local aaa authorization network vpn_group_ml_1 local ! aaa session-id common
username ABCD secret 5 ....
I' m struggling to get my head around what's happening, probably not helped by the fact this all occurred at midnight.
Hi All, A customer wants to authenticate Anyconnect VPN users from an ASA using the client installed certificate and then with AD. i.e. Is this a corporate device?Would we recommend authenticating the cert on the ASA then passing the AD check to ISE ...
Hello Team, we are getting alert in FMC stating policy deployment failed, we are running on 6.2.0 version and not sure which version is stable version to re mediate this issue, in one event i have seen restart will resolve this issue but is it perman...
Threat Hunting 101
In the latest Cisco Cybersecurity report, we explore all there is to know about threat hunting and provide a how-to guide for creating a threat hunting team.
Here are some of th...
What Is Cisco Identity Services Engine?
Cisco Identity Services Engine (ISE) is an all-in-one enterprise policy control product that enables comprehensive secure wired, wireless, and Virtual Private Networking (VPN) access.
Cisco ISE offers...
To participate in this event, please use the button to ask your questions
(This event was formerly know as Ask the Expert event)
This topic is a chance to discuss more about the best configuration and troubleshooting pr...