Brute force attacks towards ASA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2024 05:14 AM
Hi!
The last weeks it has been a big increase of brute force attempts from all over the world to our Cisco ASAs. We use two factors, so we're not to afraid that they will actually access any of our accounts, but the problem is that they manage to block users.
We use Microsoft NPS as radius server for some of our accounts, and for some reason this auto-maps the users with partial username. For example: the attackers type in reception, and the NPS auto-maps this to an actual user (for example reception@domain.com).
I have tried to find a way so that the auto-mapping doesn't happen on the NPS, but I couldn't find a proper way to make this work.
I have also tried the threat-detection scanning-threat shun command, but the addresses doesn't get blocked. At this point we are manually blocking the IP's that the attacks come from, but they just change the addresses. We have blocked thousands of IP's until now.
Do any of you have any suggestions to what we can try? We will get rid of the NPS soon, but until then, we need some fix.
Thank you in advance.
Best!
- Labels:
-
AnyConnect
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2024 05:29 AM
@Sonflaa cisco recently released this guide to harden Remote Access VPN guides:- https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html#toc-hId-1707182889
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2024 06:12 AM
Hi Rob!
Thank you for this. Yes, this will harden the ASA, but with 400 tunnel-groups configured, and 20000 users connecting, it would be a big project to change all of the URL's. We will do that, but it will take some time. In the meantime we would like to stop the attacks somehow.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2024 05:54 AM
Unfortunately I don't believe the ASA would provide you with any stable functioning protection against brute force attacks and it sadly can't block the geo traffic destined to itself. However, I think if you switch to certificates authentication at least you would know that the firewall wouldn't process any request without a valid certificate and will cut off all that unnecessary traffic to the RADIUS server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2024 06:10 AM
Hi Aref!
Thank you for your reply. Yes, changing to certificate would fix the problem, but we have almost 400 tunnel-groups so that's a big project (we are on it, but we would like to stop the attacks) that will take months.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2024 06:16 AM
How about configuring a control plane access list denying all the countries that shouldn't initiate any connection to the ASA allowing the others?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2024 06:55 AM
We have customers from all over the world, so denying whole countries isn't an option, unfortunately.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2024 09:31 AM
Set up another device which can do TLS/JA3 filtering in front of the firewall. This has been proved to be the most efficient way of allowing traffic from real AnyConnect clients and dropping everything else over TCP/443.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2024 06:01 AM - edited 04-24-2024 06:15 AM
Hi Sonflaa,
Just try to mitigate attack before Radius. Cisco has released recomandations against password spray attack: Recommendations Against Password Spray Attacks Impacting Remote Access VPN Services - Cisco
look at step 2: Apply Hardening Measures for Remote Access VPN
-> Disable AAA Authentication in the DefaultWEBVPNGroup and DefaultRAGroup Connection Profiles -> u can use authenticate by certificate or Using sinkholeRadius (new ldap Radius without configuration)
-> point the DefaultRAGroup and DefaultWEBVPNGroup to this Radius
conf: aaa-server AAA_Sinkhole protocol ldap
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group AAA_Sinkhole
tunnel-group DefaultRAGroup general-attributes
authentication-server-group AAA_Sinkhole
If u are using group-aliases under tunnel-group, the default tunnell-group/connection-profile(DefaultWEBVPNGroup ) is not hiting. My advise is disable group-aliases, if u can't do so and your users is using it. Just try configure dummy tunnell-group/connection-profile which will attackers hit (for example tunell-group aaa-sinkhole, group-alias aaa enable).
Also look at Git IOCs/2024/04 at main · Cisco-Talos/IOCs · GitHub (attackers IP file-> large-scale-brute-force-activit..).
Good luck!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2024 06:26 AM
Hello Sonflaa,
Please follow the link below...you can find similar kind of discussion...hope it is helpful....
https://community.cisco.com/t5/email-security/asa-webvpn-brute-force-attack/td-p/4411454
Best regards
******* If This Helps, Please Rate *******
