Solved

Attacks eating T1, what can I do

Posted on 2009-07-09
6
219 Views
Last Modified: 2012-05-07
Our T1 was saturated today and we were being attacked. I checked the logs of our ASA and saw hundreds of the below.

How do we prevent something like this? Our firewall is doing the job, do we have to get the ISP involved?
SL_COMCAST_ASA %ASA-3-710003: TCP access denied by ACL from 116**.167.139/2083 to outside:75.***.11.191/23

Open in new window

0
Comment
Question by:WERAracer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24818551
If the ASA is doing its job and the T1 were not saturated, then I would leave it alone.

However, in your case, this is leaving you in denial of service mode.  If you can make the changes at your end (on the router) and it alleviates the saturation issue, that is where I would start.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24818567
Another comment:  I do this with UDP and ICMP traffic today to be cautionary.  However, my configuration advise is limited to Cisco routers.  Whose router do you have?
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24818704
There is a cisco 2621xm in front of the pix. Is there a way to limit this in the router? isn't it still affecting us since it hits the link between CE and PE

thanks
0
Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

 
LVL 29

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 24818759
You will be affected but it will be minimized as you will be rejecting packets after a certain threshold:

config t

access-list 150 remark Block DoS
access-list 150 permit tcp any any eq 23
 or
access-list 150 permit tcp 116**.167.0 0.0.0.255 any range 1 65535

int s0/0
 rate-limit input access-group 150 150000 35000 15000 conform-action transmit excees-action drop

You can change the access-list to anything.  Just remember, where you specify "deny" in that ACL, that line will be *exempt* from the rate limiting.  Put whatever lines you need in the access list that will cover the majority of the problem.
0
 
LVL 1

Author Comment

by:WERAracer
ID: 24819452
great, thanks jesper. Can I use this with any port? I apply it in the outside interface of my router? This won't affect or limit other traffic?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24823167
Yes, you can use it with any port.  With traffic inside the network, I usually use QoS (classes, policys and apply them on the outbound side).

This particular rate-limit command goes on your internet facing connection.  And no, there is an explicit deny with Cisco ACLs, so if it's not permitted, it's denied and if it's denied, it is not affected by the rate limiting.

If you want to use rate-limiting with Cisco L2/L3 switches, you have to use QoS in combination with srr-queue and bandwidth commands.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month7 days, 17 hours left to enroll

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question