?
Solved

Cisco ASA 5510 DMZ attack issues

Posted on 2010-09-21
7
Medium Priority
?
957 Views
Last Modified: 2013-11-16
We are having problems with attacks on our web servers.
We have an ASA 5510 and it reports 120+ scanning attacks and 60+ SYN attacks.
When these are higher than 5 the web servers go extremely slow and do not respons.
This is happening for longer periods of time now.
Basic threat detection is enabled, scanning threat detection is enabled and Shun Hosts.

Can anyone help?


Thanks
0
Comment
Question by:CTEC
  • 4
  • 3
7 Comments
 
LVL 17

Accepted Solution

by:
Jimmy Larsson, CISSP, CEH earned 2000 total points
ID: 33726203
Do you have any max conns or embrionics-limit defined in the static for your web server?

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1512466

By setting a limit for this you make your firewall protect your web server from syn attacs.

/Kvistofta
0
 

Author Comment

by:CTEC
ID: 33726231
i have embrionics-limit set to 25 on the web servers
0
 

Author Comment

by:CTEC
ID: 33726258
static (DMZ,outside) ***.***.***.*** ***.***.***.*** netmask 255.255.255.255 dns tcp 0 25
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 17

Expert Comment

by:Jimmy Larsson, CISSP, CEH
ID: 33726544
And you are still getting 60+ half-open connections to the web-server???

/Kvistofta
0
 

Author Comment

by:CTEC
ID: 33726980
yes, currently ASDM reports under firewall dashboard:

Scanning attacks: 122
SYN attacks: 85
0
 
LVL 17

Expert Comment

by:Jimmy Larsson, CISSP, CEH
ID: 33727034
Ok. But do you have any performance issues on your web server? What you see just indicates that the firewall does what it is built to do. If you do not want to see the firewall identifying and/or blocking attacks you need to protect it with another firewall infront of it. .-)

/Kvistofta
0
 

Author Comment

by:CTEC
ID: 33727150
when the firewall reports high scanning attacks and SYN attacks the webservers will not respond to http requests, if i stop inbound traffic the webservers work normally
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question