Re: Preventing DoS attacks to WebVPN service. Is that possible?

tvotna · ‎01-29-2024

Just wondering how you guys prevent DoS attacks to TCP/443 port on ASA/FTD firewalls used for RA VPN. It appears that ASA/FTD is wide open to them and a moderate DoS (80 tps) which establishes TCP/443 connections and initiates TLS handshake can bring every firewall to its knees: 2560B and 9344B blocks are depleted and all through-the-box and to-the-box traffic stops, including SNMP polling and SSH management:

  SIZE    MAX    LOW    CNT
     0   8700   8063   8699
     4   1700   1649   1699
    80   9000   2417   8916
   256  13772   1103  11466
  1550  37434  23560  34994
  2048   8100   8032   8100
  2560   8192   3093   8184
  4096    100     97    100
  8192    100     99    100
  9344  20000      0      0
 16384    340    339    340
 65664     16     15     16

ASA# show blocks queue history
...
Analysis elapsed time: 9311 usec
Snapshot created at 18:42:14 UTC Jan 27 2024
Block Size: 2560
  Blk_cnt Last_Op Queue_Type             Id/Interface User         Context
     4950 alloc   snp_midmod_ssl_q       <na>         <na>
     3061 alloc   snp_midmod_am_q        <na>         <na>
       22 alloc   nitrox_ssl_q           <na>         <na>

ASA# show blocks exhaustion history list
Snaphot created at 19:00:40 UTC Jan 27 2024:
Snapshot created due to 9344 blocks running out

Snaphot created at 19:00:40 UTC Jan 27 2024:
Snapshot created due to 9344 blocks running out

Snaphot created at 19:00:40 UTC Jan 27 2024:
Snapshot created due to 9344 blocks running out

Snaphot created at 19:00:40 UTC Jan 27 2024:
Snapshot created due to 9344 blocks running out

Snaphot created at 19:00:40 UTC Jan 27 2024:
Snapshot created due to 9344 blocks running out

Snaphot created at 19:00:40 UTC Jan 27 2024:
Snapshot created due to 9344 blocks running out

Snaphot created at 19:00:40 UTC Jan 27 2024:
Snapshot created due to 9344 blocks running out

Snaphot created at 19:00:40 UTC Jan 27 2024:
Snapshot created due to 9344 blocks running out

Snaphot created at 19:00:40 UTC Jan 27 2024:
Snapshot created due to 9344 blocks running out

ASA# show asp drop | i ssl
SSL first record invalid (ssl-first-record-invalid) 50
SSL bad record detected (ssl-bad-record-detect) 1862525
SSL handshake failed (ssl-handshake-failed) 4704446
SSL malloc error (ssl-malloc-error) 19042
SSL record decryption failed (ssl-record-decrypt-error) 612

ASA# show counters protocol ssl_np | i ALLOCB
SSL_NP ALLOCB_STEP_UP 29 Summary
SSL_NP ALLOCB_FAILED 19042 Summary

ASA# show logging asdm | i ^1
...
1|Jan 27 2024 18:56:56|321007: System is low on free memory blocks of size 9344 (0 CNT out of 20000 MAX)
1|Jan 27 2024 18:57:57|321007: System is low on free memory blocks of size 9344 (0 CNT out of 20000 MAX)
1|Jan 27 2024 18:58:18|321007: System is low on free memory blocks of size 2560 (1 CNT out of 8192 MAX)
1|Jan 27 2024 18:58:58|321007: System is low on free memory blocks of size 9344 (0 CNT out of 20000 MAX)
1|Jan 27 2024 18:59:59|321007: System is low on free memory blocks of size 9344 (0 CNT out of 20000 MAX)
1|Jan 27 2024 19:01:00|321007: System is low on free memory blocks of size 9344 (0 CNT out of 20000 MAX)

18:42 First TCP packet not SYN (tcp-not-syn) 948128999
19:01 First TCP packet not SYN (tcp-not-syn) 953116141
18:42 Dropped pending packets in a closed socket (np-socket-closed) 66560786
19:01 Dropped pending packets in a closed socket (np-socket-closed) 68613478
18:42 SSL handshake failed (ssl-handshake-failed) 4589875
19:01 SSL handshake failed (ssl-handshake-failed) 4692057

This is a Firepower 4145 and an average ssl-handshake-failed rate is ~80 tps.

bcoverstone · ‎02-09-2024

Easy, just buy two firepowers and hook them up sequentially, then put a geo check for packets targeting the 2nd one port 443. Run everything else through the prefilter.

Tada