Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 223
  • Last Modified:

Attacks eating T1, what can I do

Our T1 was saturated today and we were being attacked. I checked the logs of our ASA and saw hundreds of the below.

How do we prevent something like this? Our firewall is doing the job, do we have to get the ISP involved?
SL_COMCAST_ASA %ASA-3-710003: TCP access denied by ACL from 116**.167.139/2083 to outside:75.***.11.191/23

Open in new window

0
WERAracer
Asked:
WERAracer
  • 4
  • 2
1 Solution
 
Jan SpringerCommented:
If the ASA is doing its job and the T1 were not saturated, then I would leave it alone.

However, in your case, this is leaving you in denial of service mode.  If you can make the changes at your end (on the router) and it alleviates the saturation issue, that is where I would start.
0
 
Jan SpringerCommented:
Another comment:  I do this with UDP and ICMP traffic today to be cautionary.  However, my configuration advise is limited to Cisco routers.  Whose router do you have?
0
 
WERAracerAuthor Commented:
There is a cisco 2621xm in front of the pix. Is there a way to limit this in the router? isn't it still affecting us since it hits the link between CE and PE

thanks
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
Jan SpringerCommented:
You will be affected but it will be minimized as you will be rejecting packets after a certain threshold:

config t

access-list 150 remark Block DoS
access-list 150 permit tcp any any eq 23
 or
access-list 150 permit tcp 116**.167.0 0.0.0.255 any range 1 65535

int s0/0
 rate-limit input access-group 150 150000 35000 15000 conform-action transmit excees-action drop

You can change the access-list to anything.  Just remember, where you specify "deny" in that ACL, that line will be *exempt* from the rate limiting.  Put whatever lines you need in the access list that will cover the majority of the problem.
0
 
WERAracerAuthor Commented:
great, thanks jesper. Can I use this with any port? I apply it in the outside interface of my router? This won't affect or limit other traffic?
0
 
Jan SpringerCommented:
Yes, you can use it with any port.  With traffic inside the network, I usually use QoS (classes, policys and apply them on the outbound side).

This particular rate-limit command goes on your internet facing connection.  And no, there is an explicit deny with Cisco ACLs, so if it's not permitted, it's denied and if it's denied, it is not affected by the rate limiting.

If you want to use rate-limiting with Cisco L2/L3 switches, you have to use QoS in combination with srr-queue and bandwidth commands.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now