Solved

Cisco ASA 5505 ASDM DoS Protection

Posted on 2014-03-20
13
1,831 Views
Last Modified: 2014-04-26
Hi there,

We have a CISCO ASA 5505 which we primarily manage through the ASDM 6.2 GUI.

We have had an issue with a Denial of Service attack (not any DDOS's yet) coming from a single IP and hitting our open 443 port. We used port mirror / wireshark to determine the source of the attack. The most recent attacking IP was: 166.181.81.25

The incident happens like this:
Attacking IP sends a request to our public IP port 443. Cisco translates it and forwards the request to our Exchange server. (OWA runs on 443). Exchange server responds.
This happens about 1,000 in 1 second.

Our ISP has DoS filters enabled for OUTGOING packets ONLY. When we respond to these requests it flags our account with our ISP and they temporarily disable our internet. (at the Virtual Port Bridge)


HOW DO WE STOP THIS ATTACK? Specifically, how do we NOT respond to rapid requests that are indicative of a DoS attack but DO still respond to legitimate requests?

We have services dependent on 443 so we can not block the port it at the firewall.


Under Firewall > Threat Detection we have "Enable basic threat detection" enabled.


What else can we do through the Cisco ASDM 6.2 interface to protect against these types of attacks?

Please do hesitate to ask if I need to clarify anything about this request.
0
Comment
Question by:MPATechTeam
  • 7
  • 5
13 Comments
 
LVL 17

Accepted Solution

by:
Spartan_1337 earned 500 total points
Comment Utility
Firewall cannot do that. For the function you are asking for would require an IDS/IPS sensor that will inspect the traffic and react as per how it was configured. Stateful firewalls cannot prevent a DOS attack but you could just create a "BAD IP" ACL group and just deny access by adding those IP's to that group. This is a very basic way but the 5505 can only handle so much.
0
 

Author Comment

by:MPATechTeam
Comment Utility
Hi there,

THANK YOU for the response. That is unfortunately what I suspected.

We have created a "BAD IP" Network Object Group.

Then we created an ACCESS RULE under the INSIDE INTERFACE and set it to DENY. We made it the FIRST RULE.

Will that work as you are suggesting.

Can you recommend a good IDS/IPS sensor? We have ~25 clients on our internal network.

Thanks again. Your response was quite helpful.
0
 
LVL 17

Expert Comment

by:Spartan_1337
Comment Utility
No, wrong interface. You need to put that ACL on your outside interface and make it the first rule. Remember that the firewall processes by order of rules and if another rule satisfies the request it will not look past that rule.
0
 

Author Comment

by:MPATechTeam
Comment Utility
Ahh -
well, we were following this article:
http://www.petenetlive.com/KB/Article/0000743.htm

Is it wrong?


Can you recommend a good IDS/IPS sensor? We have ~25 clients on our internal network.

My understanding is that this device would go BEFORE the firewall.
ISP WAN > IPS Sensor > Cisco WAN Port

Is that accurate?
0
 
LVL 17

Expert Comment

by:Spartan_1337
Comment Utility
That is blocking an internal host to an external IP, not the same thing or wrong but doesn't apply to what you are looking for.

A good IDS/IPS sensor would inspect inside and outside, not just outside.
Outside - IPS - Firewall - (SPAN port) IPS Inside, (SPAN port) IPS Inside DMZ

A good IDS sensor is really based on budget.
Here are vendors that have sensors which are very good:

Cisco IDS/IPS
SourceFire
TippingPoint - HP
Juniper

Keep in mind that these devices are very expensive
0
 

Author Comment

by:MPATechTeam
Comment Utility
Thanks for the information!

It looks there aren't any IPS's available for at a < $1,000 price?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 17

Expert Comment

by:Spartan_1337
Comment Utility
There are open source options that you could consider but you will ultimately have to decide what is best for your situation and organization.

Suricata

http://suricata-ids.org/

SNORT

http://www.snort.org/
0
 

Author Comment

by:MPATechTeam
Comment Utility
Gotchya. I appreciate all the help.

#1 I contacted ZyXEL and they said that they believed their ZyXEL USG series would work if we purchase the security subscription service. This allows traffic to be blocked based upon known patterns and also has limited for requests.

Do you think this could be a good option?

#2 My understand is that an IPS/IDS replaces our existing firewall. It is not designed to sit outside of the permitter of the network. Is that accurate?

#3 Our biggest issue right now is the outbound RESPONSES that our internal network sends out in response to these inbound requests.
Because cell phones connect to exchange using port 443, we do need the service to respond in those cases.
What I'm wondering is this:
Would there be any way to limit the RESPONSES to requests on port 443 on the SBS 2011 server itself? I.e. IIS configuration or Exchange configuration? Just shooting in the dark here.

I realize that incoming requests would still get through our firewall, but as long as we don't respond, we would resolve the troubles we're having with our ISP.

#4 Does this look OKAY? "CMTEL=Outside Interface/ISP"
http://screencast.com/t/0eelu01Ni
0
 

Author Comment

by:MPATechTeam
Comment Utility
0
 

Author Comment

by:MPATechTeam
Comment Utility
Nevermind - requires forefront.
0
 

Author Comment

by:MPATechTeam
Comment Utility
What are your thoughts on this feature?

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfdenl.html

Or - Directly on the Exchange server:
http://technet.microsoft.com/en-us/library/bb123712(v=exchg.150).aspx

-or-

http://www.shudnow.net/2009/09/26/exchange-2010-client-throttling/

I'm considering this stuff because port 443 is being targeted.

I'm wondering if I can simply limit the connections to the server in which the 443 service is in-use.

What are your thoughts on this?
0
 
LVL 17

Expert Comment

by:MAG03
Comment Utility
The link to the cisco document you post is for IOS and not ASA... but the ASA does have a similar feature.

If this is a TCP syn attack then you could do several things; limit the number of allowed half-open connection (embryonic connections), rate-limit the number of allowed syn messages per second.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100830-asa-pix-netattacks.html#tcp
0
 
LVL 17

Expert Comment

by:Spartan_1337
Comment Utility
IDS/IPS does NOT replace your firewall. This is in addition to it as another layer of security but it cannot replace your firewall. NextGEN firewalls have a one box solution for IPS/IDS and F/W and a few other things but these devices are out of your price range at the moment.

Throttling policy is for existing Exchange users, not going to stop DOS attack.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5516-X Configuration 4 45
sonicwall can not login  ~URGENT~ 9 155
Route summarization 9 42
Firewall port opening 2 17
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now