Attacks eating T1, what can I do

Our T1 was saturated today and we were being attacked. I checked the logs of our ASA and saw hundreds of the below.

How do we prevent something like this? Our firewall is doing the job, do we have to get the ISP involved?
SL_COMCAST_ASA %ASA-3-710003: TCP access denied by ACL from 116**.167.139/2083 to outside:75.***.11.191/23

Open in new window

LVL 1
WERAracerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
If the ASA is doing its job and the T1 were not saturated, then I would leave it alone.

However, in your case, this is leaving you in denial of service mode.  If you can make the changes at your end (on the router) and it alleviates the saturation issue, that is where I would start.
0
Jan SpringerCommented:
Another comment:  I do this with UDP and ICMP traffic today to be cautionary.  However, my configuration advise is limited to Cisco routers.  Whose router do you have?
0
WERAracerAuthor Commented:
There is a cisco 2621xm in front of the pix. Is there a way to limit this in the router? isn't it still affecting us since it hits the link between CE and PE

thanks
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Jan SpringerCommented:
You will be affected but it will be minimized as you will be rejecting packets after a certain threshold:

config t

access-list 150 remark Block DoS
access-list 150 permit tcp any any eq 23
 or
access-list 150 permit tcp 116**.167.0 0.0.0.255 any range 1 65535

int s0/0
 rate-limit input access-group 150 150000 35000 15000 conform-action transmit excees-action drop

You can change the access-list to anything.  Just remember, where you specify "deny" in that ACL, that line will be *exempt* from the rate limiting.  Put whatever lines you need in the access list that will cover the majority of the problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WERAracerAuthor Commented:
great, thanks jesper. Can I use this with any port? I apply it in the outside interface of my router? This won't affect or limit other traffic?
0
Jan SpringerCommented:
Yes, you can use it with any port.  With traffic inside the network, I usually use QoS (classes, policys and apply them on the outbound side).

This particular rate-limit command goes on your internet facing connection.  And no, there is an explicit deny with Cisco ACLs, so if it's not permitted, it's denied and if it's denied, it is not affected by the rate limiting.

If you want to use rate-limiting with Cisco L2/L3 switches, you have to use QoS in combination with srr-queue and bandwidth commands.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.