Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Attacks eating T1, what can I do

Posted on 2009-07-09
6
214 Views
Last Modified: 2012-05-07
Our T1 was saturated today and we were being attacked. I checked the logs of our ASA and saw hundreds of the below.

How do we prevent something like this? Our firewall is doing the job, do we have to get the ISP involved?
SL_COMCAST_ASA %ASA-3-710003: TCP access denied by ACL from 116**.167.139/2083 to outside:75.***.11.191/23

Open in new window

0
Comment
Question by:WERAracer
  • 4
  • 2
6 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24818551
If the ASA is doing its job and the T1 were not saturated, then I would leave it alone.

However, in your case, this is leaving you in denial of service mode.  If you can make the changes at your end (on the router) and it alleviates the saturation issue, that is where I would start.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24818567
Another comment:  I do this with UDP and ICMP traffic today to be cautionary.  However, my configuration advise is limited to Cisco routers.  Whose router do you have?
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24818704
There is a cisco 2621xm in front of the pix. Is there a way to limit this in the router? isn't it still affecting us since it hits the link between CE and PE

thanks
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 24818759
You will be affected but it will be minimized as you will be rejecting packets after a certain threshold:

config t

access-list 150 remark Block DoS
access-list 150 permit tcp any any eq 23
 or
access-list 150 permit tcp 116**.167.0 0.0.0.255 any range 1 65535

int s0/0
 rate-limit input access-group 150 150000 35000 15000 conform-action transmit excees-action drop

You can change the access-list to anything.  Just remember, where you specify "deny" in that ACL, that line will be *exempt* from the rate limiting.  Put whatever lines you need in the access list that will cover the majority of the problem.
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24819452
great, thanks jesper. Can I use this with any port? I apply it in the outside interface of my router? This won't affect or limit other traffic?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24823167
Yes, you can use it with any port.  With traffic inside the network, I usually use QoS (classes, policys and apply them on the outbound side).

This particular rate-limit command goes on your internet facing connection.  And no, there is an explicit deny with Cisco ACLs, so if it's not permitted, it's denied and if it's denied, it is not affected by the rate limiting.

If you want to use rate-limiting with Cisco L2/L3 switches, you have to use QoS in combination with srr-queue and bandwidth commands.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question