Solved

Cisco ASA 5510 DMZ attack issues

Posted on 2010-09-21
7
938 Views
Last Modified: 2013-11-16
We are having problems with attacks on our web servers.
We have an ASA 5510 and it reports 120+ scanning attacks and 60+ SYN attacks.
When these are higher than 5 the web servers go extremely slow and do not respons.
This is happening for longer periods of time now.
Basic threat detection is enabled, scanning threat detection is enabled and Shun Hosts.

Can anyone help?


Thanks
0
Comment
Question by:CTEC
  • 4
  • 3
7 Comments
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 33726203
Do you have any max conns or embrionics-limit defined in the static for your web server?

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1512466

By setting a limit for this you make your firewall protect your web server from syn attacs.

/Kvistofta
0
 

Author Comment

by:CTEC
ID: 33726231
i have embrionics-limit set to 25 on the web servers
0
 

Author Comment

by:CTEC
ID: 33726258
static (DMZ,outside) ***.***.***.*** ***.***.***.*** netmask 255.255.255.255 dns tcp 0 25
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 17

Expert Comment

by:Kvistofta
ID: 33726544
And you are still getting 60+ half-open connections to the web-server???

/Kvistofta
0
 

Author Comment

by:CTEC
ID: 33726980
yes, currently ASDM reports under firewall dashboard:

Scanning attacks: 122
SYN attacks: 85
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33727034
Ok. But do you have any performance issues on your web server? What you see just indicates that the firewall does what it is built to do. If you do not want to see the firewall identifying and/or blocking attacks you need to protect it with another firewall infront of it. .-)

/Kvistofta
0
 

Author Comment

by:CTEC
ID: 33727150
when the firewall reports high scanning attacks and SYN attacks the webservers will not respond to http requests, if i stop inbound traffic the webservers work normally
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now