Solved

Attacks eating T1, what can I do

Posted on 2009-07-09
6
212 Views
Last Modified: 2012-05-07
Our T1 was saturated today and we were being attacked. I checked the logs of our ASA and saw hundreds of the below.

How do we prevent something like this? Our firewall is doing the job, do we have to get the ISP involved?
SL_COMCAST_ASA %ASA-3-710003: TCP access denied by ACL from 116**.167.139/2083 to outside:75.***.11.191/23

Open in new window

0
Comment
Question by:WERAracer
  • 4
  • 2
6 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24818551
If the ASA is doing its job and the T1 were not saturated, then I would leave it alone.

However, in your case, this is leaving you in denial of service mode.  If you can make the changes at your end (on the router) and it alleviates the saturation issue, that is where I would start.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24818567
Another comment:  I do this with UDP and ICMP traffic today to be cautionary.  However, my configuration advise is limited to Cisco routers.  Whose router do you have?
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24818704
There is a cisco 2621xm in front of the pix. Is there a way to limit this in the router? isn't it still affecting us since it hits the link between CE and PE

thanks
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 24818759
You will be affected but it will be minimized as you will be rejecting packets after a certain threshold:

config t

access-list 150 remark Block DoS
access-list 150 permit tcp any any eq 23
 or
access-list 150 permit tcp 116**.167.0 0.0.0.255 any range 1 65535

int s0/0
 rate-limit input access-group 150 150000 35000 15000 conform-action transmit excees-action drop

You can change the access-list to anything.  Just remember, where you specify "deny" in that ACL, that line will be *exempt* from the rate limiting.  Put whatever lines you need in the access list that will cover the majority of the problem.
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24819452
great, thanks jesper. Can I use this with any port? I apply it in the outside interface of my router? This won't affect or limit other traffic?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24823167
Yes, you can use it with any port.  With traffic inside the network, I usually use QoS (classes, policys and apply them on the outbound side).

This particular rate-limit command goes on your internet facing connection.  And no, there is an explicit deny with Cisco ACLs, so if it's not permitted, it's denied and if it's denied, it is not affected by the rate limiting.

If you want to use rate-limiting with Cisco L2/L3 switches, you have to use QoS in combination with srr-queue and bandwidth commands.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco NBAR 6 31
Vlan to Vlan communication 9 71
Port Forwarding on Cisco 881 14 30
VTP / VLANs and Sub-Interfaces 4 22
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now