• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 969
  • Last Modified:

Cisco ASA 5510 DMZ attack issues

We are having problems with attacks on our web servers.
We have an ASA 5510 and it reports 120+ scanning attacks and 60+ SYN attacks.
When these are higher than 5 the web servers go extremely slow and do not respons.
This is happening for longer periods of time now.
Basic threat detection is enabled, scanning threat detection is enabled and Shun Hosts.

Can anyone help?


Thanks
0
CTEC
Asked:
CTEC
  • 4
  • 3
1 Solution
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Do you have any max conns or embrionics-limit defined in the static for your web server?

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1512466

By setting a limit for this you make your firewall protect your web server from syn attacs.

/Kvistofta
0
 
CTECAuthor Commented:
i have embrionics-limit set to 25 on the web servers
0
 
CTECAuthor Commented:
static (DMZ,outside) ***.***.***.*** ***.***.***.*** netmask 255.255.255.255 dns tcp 0 25
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
And you are still getting 60+ half-open connections to the web-server???

/Kvistofta
0
 
CTECAuthor Commented:
yes, currently ASDM reports under firewall dashboard:

Scanning attacks: 122
SYN attacks: 85
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Ok. But do you have any performance issues on your web server? What you see just indicates that the firewall does what it is built to do. If you do not want to see the firewall identifying and/or blocking attacks you need to protect it with another firewall infront of it. .-)

/Kvistofta
0
 
CTECAuthor Commented:
when the firewall reports high scanning attacks and SYN attacks the webservers will not respond to http requests, if i stop inbound traffic the webservers work normally
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now