Solved

Cisco ASA 5505 ASDM DoS Protection

Posted on 2014-03-20
13
2,032 Views
Last Modified: 2014-04-26
Hi there,

We have a CISCO ASA 5505 which we primarily manage through the ASDM 6.2 GUI.

We have had an issue with a Denial of Service attack (not any DDOS's yet) coming from a single IP and hitting our open 443 port. We used port mirror / wireshark to determine the source of the attack. The most recent attacking IP was: 166.181.81.25

The incident happens like this:
Attacking IP sends a request to our public IP port 443. Cisco translates it and forwards the request to our Exchange server. (OWA runs on 443). Exchange server responds.
This happens about 1,000 in 1 second.

Our ISP has DoS filters enabled for OUTGOING packets ONLY. When we respond to these requests it flags our account with our ISP and they temporarily disable our internet. (at the Virtual Port Bridge)


HOW DO WE STOP THIS ATTACK? Specifically, how do we NOT respond to rapid requests that are indicative of a DoS attack but DO still respond to legitimate requests?

We have services dependent on 443 so we can not block the port it at the firewall.


Under Firewall > Threat Detection we have "Enable basic threat detection" enabled.


What else can we do through the Cisco ASDM 6.2 interface to protect against these types of attacks?

Please do hesitate to ask if I need to clarify anything about this request.
0
Comment
Question by:MPATechTeam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
13 Comments
 
LVL 17

Accepted Solution

by:
James H earned 500 total points
ID: 39942821
Firewall cannot do that. For the function you are asking for would require an IDS/IPS sensor that will inspect the traffic and react as per how it was configured. Stateful firewalls cannot prevent a DOS attack but you could just create a "BAD IP" ACL group and just deny access by adding those IP's to that group. This is a very basic way but the 5505 can only handle so much.
0
 

Author Comment

by:MPATechTeam
ID: 39942896
Hi there,

THANK YOU for the response. That is unfortunately what I suspected.

We have created a "BAD IP" Network Object Group.

Then we created an ACCESS RULE under the INSIDE INTERFACE and set it to DENY. We made it the FIRST RULE.

Will that work as you are suggesting.

Can you recommend a good IDS/IPS sensor? We have ~25 clients on our internal network.

Thanks again. Your response was quite helpful.
0
 
LVL 17

Expert Comment

by:James H
ID: 39942923
No, wrong interface. You need to put that ACL on your outside interface and make it the first rule. Remember that the firewall processes by order of rules and if another rule satisfies the request it will not look past that rule.
0
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

 

Author Comment

by:MPATechTeam
ID: 39942935
Ahh -
well, we were following this article:
http://www.petenetlive.com/KB/Article/0000743.htm

Is it wrong?


Can you recommend a good IDS/IPS sensor? We have ~25 clients on our internal network.

My understanding is that this device would go BEFORE the firewall.
ISP WAN > IPS Sensor > Cisco WAN Port

Is that accurate?
0
 
LVL 17

Expert Comment

by:James H
ID: 39942994
That is blocking an internal host to an external IP, not the same thing or wrong but doesn't apply to what you are looking for.

A good IDS/IPS sensor would inspect inside and outside, not just outside.
Outside - IPS - Firewall - (SPAN port) IPS Inside, (SPAN port) IPS Inside DMZ

A good IDS sensor is really based on budget.
Here are vendors that have sensors which are very good:

Cisco IDS/IPS
SourceFire
TippingPoint - HP
Juniper

Keep in mind that these devices are very expensive
0
 

Author Comment

by:MPATechTeam
ID: 39943027
Thanks for the information!

It looks there aren't any IPS's available for at a < $1,000 price?
0
 
LVL 17

Expert Comment

by:James H
ID: 39943118
There are open source options that you could consider but you will ultimately have to decide what is best for your situation and organization.

Suricata

http://suricata-ids.org/

SNORT

http://www.snort.org/
0
 

Author Comment

by:MPATechTeam
ID: 39943270
Gotchya. I appreciate all the help.

#1 I contacted ZyXEL and they said that they believed their ZyXEL USG series would work if we purchase the security subscription service. This allows traffic to be blocked based upon known patterns and also has limited for requests.

Do you think this could be a good option?

#2 My understand is that an IPS/IDS replaces our existing firewall. It is not designed to sit outside of the permitter of the network. Is that accurate?

#3 Our biggest issue right now is the outbound RESPONSES that our internal network sends out in response to these inbound requests.
Because cell phones connect to exchange using port 443, we do need the service to respond in those cases.
What I'm wondering is this:
Would there be any way to limit the RESPONSES to requests on port 443 on the SBS 2011 server itself? I.e. IIS configuration or Exchange configuration? Just shooting in the dark here.

I realize that incoming requests would still get through our firewall, but as long as we don't respond, we would resolve the troubles we're having with our ISP.

#4 Does this look OKAY? "CMTEL=Outside Interface/ISP"
http://screencast.com/t/0eelu01Ni
0
 

Author Comment

by:MPATechTeam
ID: 39943373
Nevermind - requires forefront.
0
 

Author Comment

by:MPATechTeam
ID: 39943914
What are your thoughts on this feature?

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfdenl.html

Or - Directly on the Exchange server:
http://technet.microsoft.com/en-us/library/bb123712(v=exchg.150).aspx

-or-

http://www.shudnow.net/2009/09/26/exchange-2010-client-throttling/

I'm considering this stuff because port 443 is being targeted.

I'm wondering if I can simply limit the connections to the server in which the 443 service is in-use.

What are your thoughts on this?
0
 
LVL 17

Expert Comment

by:MAG03
ID: 39944914
The link to the cisco document you post is for IOS and not ASA... but the ASA does have a similar feature.

If this is a TCP syn attack then you could do several things; limit the number of allowed half-open connection (embryonic connections), rate-limit the number of allowed syn messages per second.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100830-asa-pix-netattacks.html#tcp
0
 
LVL 17

Expert Comment

by:James H
ID: 39944969
IDS/IPS does NOT replace your firewall. This is in addition to it as another layer of security but it cannot replace your firewall. NextGEN firewalls have a one box solution for IPS/IDS and F/W and a few other things but these devices are out of your price range at the moment.

Throttling policy is for existing Exchange users, not going to stop DOS attack.
0

Featured Post

Enroll in July's Course of the Month

July's Course of the Month is now available! Enroll to learn HTML5 and prepare for certification. It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question