Cisco ASA 5505 ASDM DoS Protection
Posted on 2014-03-20
We have a CISCO ASA 5505 which we primarily manage through the ASDM 6.2 GUI.
We have had an issue with a Denial of Service attack (not any DDOS's yet) coming from a single IP and hitting our open 443 port. We used port mirror / wireshark to determine the source of the attack. The most recent attacking IP was: 220.127.116.11
The incident happens like this:
Attacking IP sends a request to our public IP port 443. Cisco translates it and forwards the request to our Exchange server. (OWA runs on 443). Exchange server responds.
This happens about 1,000 in 1 second.
Our ISP has DoS filters enabled for OUTGOING packets ONLY. When we respond to these requests it flags our account with our ISP and they temporarily disable our internet. (at the Virtual Port Bridge)
HOW DO WE STOP THIS ATTACK? Specifically, how do we NOT respond to rapid requests that are indicative of a DoS attack but DO still respond to legitimate requests?
We have services dependent on 443 so we can not block the port it at the firewall.
Under Firewall > Threat Detection we have "Enable basic threat detection" enabled.
What else can we do through the Cisco ASDM 6.2 interface to protect against these types of attacks?
Please do hesitate to ask if I need to clarify anything about this request.