Solved

Cisco ASA 5505 ASDM DoS Protection

Posted on 2014-03-20
13
1,924 Views
Last Modified: 2014-04-26
Hi there,

We have a CISCO ASA 5505 which we primarily manage through the ASDM 6.2 GUI.

We have had an issue with a Denial of Service attack (not any DDOS's yet) coming from a single IP and hitting our open 443 port. We used port mirror / wireshark to determine the source of the attack. The most recent attacking IP was: 166.181.81.25

The incident happens like this:
Attacking IP sends a request to our public IP port 443. Cisco translates it and forwards the request to our Exchange server. (OWA runs on 443). Exchange server responds.
This happens about 1,000 in 1 second.

Our ISP has DoS filters enabled for OUTGOING packets ONLY. When we respond to these requests it flags our account with our ISP and they temporarily disable our internet. (at the Virtual Port Bridge)


HOW DO WE STOP THIS ATTACK? Specifically, how do we NOT respond to rapid requests that are indicative of a DoS attack but DO still respond to legitimate requests?

We have services dependent on 443 so we can not block the port it at the firewall.


Under Firewall > Threat Detection we have "Enable basic threat detection" enabled.


What else can we do through the Cisco ASDM 6.2 interface to protect against these types of attacks?

Please do hesitate to ask if I need to clarify anything about this request.
0
Comment
Question by:MPATechTeam
  • 7
  • 5
13 Comments
 
LVL 17

Accepted Solution

by:
Spartan_1337 earned 500 total points
ID: 39942821
Firewall cannot do that. For the function you are asking for would require an IDS/IPS sensor that will inspect the traffic and react as per how it was configured. Stateful firewalls cannot prevent a DOS attack but you could just create a "BAD IP" ACL group and just deny access by adding those IP's to that group. This is a very basic way but the 5505 can only handle so much.
0
 

Author Comment

by:MPATechTeam
ID: 39942896
Hi there,

THANK YOU for the response. That is unfortunately what I suspected.

We have created a "BAD IP" Network Object Group.

Then we created an ACCESS RULE under the INSIDE INTERFACE and set it to DENY. We made it the FIRST RULE.

Will that work as you are suggesting.

Can you recommend a good IDS/IPS sensor? We have ~25 clients on our internal network.

Thanks again. Your response was quite helpful.
0
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 39942923
No, wrong interface. You need to put that ACL on your outside interface and make it the first rule. Remember that the firewall processes by order of rules and if another rule satisfies the request it will not look past that rule.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:MPATechTeam
ID: 39942935
Ahh -
well, we were following this article:
http://www.petenetlive.com/KB/Article/0000743.htm

Is it wrong?


Can you recommend a good IDS/IPS sensor? We have ~25 clients on our internal network.

My understanding is that this device would go BEFORE the firewall.
ISP WAN > IPS Sensor > Cisco WAN Port

Is that accurate?
0
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 39942994
That is blocking an internal host to an external IP, not the same thing or wrong but doesn't apply to what you are looking for.

A good IDS/IPS sensor would inspect inside and outside, not just outside.
Outside - IPS - Firewall - (SPAN port) IPS Inside, (SPAN port) IPS Inside DMZ

A good IDS sensor is really based on budget.
Here are vendors that have sensors which are very good:

Cisco IDS/IPS
SourceFire
TippingPoint - HP
Juniper

Keep in mind that these devices are very expensive
0
 

Author Comment

by:MPATechTeam
ID: 39943027
Thanks for the information!

It looks there aren't any IPS's available for at a < $1,000 price?
0
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 39943118
There are open source options that you could consider but you will ultimately have to decide what is best for your situation and organization.

Suricata

http://suricata-ids.org/

SNORT

http://www.snort.org/
0
 

Author Comment

by:MPATechTeam
ID: 39943270
Gotchya. I appreciate all the help.

#1 I contacted ZyXEL and they said that they believed their ZyXEL USG series would work if we purchase the security subscription service. This allows traffic to be blocked based upon known patterns and also has limited for requests.

Do you think this could be a good option?

#2 My understand is that an IPS/IDS replaces our existing firewall. It is not designed to sit outside of the permitter of the network. Is that accurate?

#3 Our biggest issue right now is the outbound RESPONSES that our internal network sends out in response to these inbound requests.
Because cell phones connect to exchange using port 443, we do need the service to respond in those cases.
What I'm wondering is this:
Would there be any way to limit the RESPONSES to requests on port 443 on the SBS 2011 server itself? I.e. IIS configuration or Exchange configuration? Just shooting in the dark here.

I realize that incoming requests would still get through our firewall, but as long as we don't respond, we would resolve the troubles we're having with our ISP.

#4 Does this look OKAY? "CMTEL=Outside Interface/ISP"
http://screencast.com/t/0eelu01Ni
0
 

Author Comment

by:MPATechTeam
ID: 39943372
0
 

Author Comment

by:MPATechTeam
ID: 39943373
Nevermind - requires forefront.
0
 

Author Comment

by:MPATechTeam
ID: 39943914
What are your thoughts on this feature?

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfdenl.html

Or - Directly on the Exchange server:
http://technet.microsoft.com/en-us/library/bb123712(v=exchg.150).aspx

-or-

http://www.shudnow.net/2009/09/26/exchange-2010-client-throttling/

I'm considering this stuff because port 443 is being targeted.

I'm wondering if I can simply limit the connections to the server in which the 443 service is in-use.

What are your thoughts on this?
0
 
LVL 17

Expert Comment

by:MAG03
ID: 39944914
The link to the cisco document you post is for IOS and not ASA... but the ASA does have a similar feature.

If this is a TCP syn attack then you could do several things; limit the number of allowed half-open connection (embryonic connections), rate-limit the number of allowed syn messages per second.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100830-asa-pix-netattacks.html#tcp
0
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 39944969
IDS/IPS does NOT replace your firewall. This is in addition to it as another layer of security but it cannot replace your firewall. NextGEN firewalls have a one box solution for IPS/IDS and F/W and a few other things but these devices are out of your price range at the moment.

Throttling policy is for existing Exchange users, not going to stop DOS attack.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question