cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
435
Views
0
Helpful
2
Replies
MikeM-2468
Beginner

Where to block traffic

Is there a consensus or best practice that covers where is the best place to block unwanted traffic?  By that I mean, should I block it at the router, firewall, IPS?  As an example, I'm dealing with DNS flood attacks - probably DDoS and reflection.  I have a pair of Cisco 2821 routers with two different ISPs doing BGP.  Behind that I have an ASA 5510 with IPS module.  Behind that I have 2 public DNS servers.  Over the last few days I've seen an increase in bogus DNS queries - high volume, distributed.  My question is where is the best place to put the ACL to block them? I've been putting them on the ASA, but when the attack is running, it jacks the CPU to 60%.  If I don't put the ACL, the IPS seems to pick them up after a while and the CPU is almost as high as with the ACL.  I haven't tried to put the ACL on the routers.  I wanted to seek input first.

2 REPLIES 2
Bilal Nawaz
Engager

Hello, I think the general consensus is to block the unwanted traffic as close to the source as possible.

Now, firewalls are meant to be built and designed to handle this kind of thing, but if it doesn't seem to be coping well with a suspected attack, I would definitely raise it with the vendor, in this case Cisco TAC.

Just to tell them that this is happening and if its expected for the CPU to shoot up to 60% just like that. Perhaps they may have some suggestions to offer on how to deal with this kind of thing better.

It may be that the firewall needs to have a bit more grunt? i.e. a higher spec'd FW. ASA's are commonly used at the internet edge amongst some of the major banks to do most of the grunt work and a second tier of FW's that are in behind where the DMZ is. But then we go towards a design conversation....

Since you have a public facing DNS, it doesn't come at a surprise that there are bogus DNS queries being made. (myself, i dont know how to stop this from happening) It might be something that could be done on the DNS server side to protect itself from this kind of thing?

But I think you have positioned the ACL's/blocks at the correct point in your topology. ACL's applied inbound on the interface that is facing the internet edge. I feel this is more appropriate, but maybe someone else has another opinion on it.

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

It turns out blocking at the ASA is a bad idea.  As the list of hosts to be blocked increases and the amount of traffic increases, the ASA quickly gets overwhelmed and the CPU spikes.  It's less damaging to let the DNS server handle the requests than it is to try to block with the ASA.

Also, Cisco doesn't seem to be able to handle the traffic with IPS signatures.