Solved

Cisco ASA 5510 Getting attacked, can't figure out how to stop it

Posted on 2013-02-06
2
2,669 Views
Last Modified: 2013-03-05
Over the past few weeks, we have been getting reports of incoming calls on our Sip trunk not being able to connect.  I think I finally narrowed it down and noticed that we seem to be getting attacked.  My thoughts are that my ASA is being overloaded with bogus requests from port scanning attacks.  When i did into the ASA logs, I show thousands of deny's from random IP's every hour.  I have tried but can't seem to stop this attack.  The port requests come in waves of 10 to 20 at a time.  The scan will come from an ip address about 20 times and then come froma  different ip.  It's always a different address and most of the time a different port.  Because it's so random, the basic threat detection doesn't seem to flag this as an attack.  

Nothing ever seems to show up in the Cisco Shun List.  Even when I force a port scan from a test website.  How can I get my firewall to ignore the crap and let the good stuff in.  The firewall is correctly denying all the bogus entries but I feel like that is causing the problem.  I thought maybe changing the embryonic connection limits or max client connections would help.  I changed the max embryonic connection to 10 but it didn't seem to help.  How can I get this attack to stop or setup the asa to just ignore the crap?

Here is some of my config.

 show running-config threat-detection
no threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
no threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate syn-attack rate-interval 600 average-rate 5 burst-rate 10
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
no threat-detection statistics tcp-intercept
0
Comment
Question by:CWadmins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 16

Accepted Solution

by:
max_the_king earned 500 total points
ID: 38863439
Hi,
I'm not sure that the SIP trunk issue is related with those kind of attacks to your network: never seen an ASA falling down dos attacks ...
anyway you may want to read the following, where you'll find a lot of parameters that can be changed on your ASA to manage threat detection.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bd3913.shtml
you should be patient and tune parameters one at a time and see the results.
please note, however, that ASA, unless you have the IPS module, is not an IPS/IDS system.

max
0
 

Author Closing Comment

by:CWadmins
ID: 38953715
Turns out that the sip problems were not related to the DoS attack.  Had to change our external ip address to get it to stop but then the Sip issues continued.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Palo Alto Networks: Truly No Hit Count? 2 145
ASA Tunnel 18 55
SonicWall NSA 3600 HA Content Filtering 3 28
Frequency of Windows Server updates 27 134
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question