Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
744
Views
25
Helpful
2
Replies

ASA 5506 DoS Project

Kalle-P
Level 1
Level 1

‎03-06-2022 12:53 PM

Currently doing a project about DDoS attacks on the 5506 and cant figure out why UDP has some sort of output limit while TCP don't.??

Screenshot 2022-03-06 214604.png

Screenshot 2022-03-06 180840.png

Screenshot 2022-03-06 182657.png

   

Labels:
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎03-06-2022 02:05 PM

we are not sure what is the config applied in ASA, it is worth look below document for reference :

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100830-asa-pix-netattacks.html

 

On the latest ASA X model i did some tests in Lab work as expected the Limit. :

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Kalle-P
Level 1
Level 1
In response to balaji.bandi

‎03-07-2022 04:47 PM

The only configuration made on the ASA were to get connectivity between devices. I tried again with "threat-detection basic-threat" disabled and same thing happens. Do you mean that there is dos protection configuration made by cisco that wont show in the running config, because i can't find anything else on the documents linked

 

 

ASA Version 9.12(1)2
!
hostname ciscoasa
enable password ***** pbkdf2
names
no mac-address auto

!
interface GigabitEthernet1/1
nameif outside
security-level 100
ip address 209.165.1.1 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1

management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa9-12-1-2-lfbff-k8.SPA
ftp mode passive
same-security-traffic permit inter-interface
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
console timeout 0

dhcpd address 192.168.1.3-192.168.1.3 inside
dhcpd enable inside
!
dhcpd address 209.165.1.2-209.165.1.20 outside
dhcpd enable outside
!
threat-detection basic-threat
threat-detection statistics access-list
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a85eda45f66b6bc3cc8110383ceab0bb
: end

Customers Also Viewed These Support Documents