Go Premium for a chance to win a PS4. Enter to Win


Cisco ASA 5505 ASDM DoS Protection

Posted on 2014-03-20
Medium Priority
Last Modified: 2014-04-26
Hi there,

We have a CISCO ASA 5505 which we primarily manage through the ASDM 6.2 GUI.

We have had an issue with a Denial of Service attack (not any DDOS's yet) coming from a single IP and hitting our open 443 port. We used port mirror / wireshark to determine the source of the attack. The most recent attacking IP was:

The incident happens like this:
Attacking IP sends a request to our public IP port 443. Cisco translates it and forwards the request to our Exchange server. (OWA runs on 443). Exchange server responds.
This happens about 1,000 in 1 second.

Our ISP has DoS filters enabled for OUTGOING packets ONLY. When we respond to these requests it flags our account with our ISP and they temporarily disable our internet. (at the Virtual Port Bridge)

HOW DO WE STOP THIS ATTACK? Specifically, how do we NOT respond to rapid requests that are indicative of a DoS attack but DO still respond to legitimate requests?

We have services dependent on 443 so we can not block the port it at the firewall.

Under Firewall > Threat Detection we have "Enable basic threat detection" enabled.

What else can we do through the Cisco ASDM 6.2 interface to protect against these types of attacks?

Please do hesitate to ask if I need to clarify anything about this request.
Question by:MPATechTeam
  • 7
  • 5
LVL 17

Accepted Solution

James H earned 1500 total points
ID: 39942821
Firewall cannot do that. For the function you are asking for would require an IDS/IPS sensor that will inspect the traffic and react as per how it was configured. Stateful firewalls cannot prevent a DOS attack but you could just create a "BAD IP" ACL group and just deny access by adding those IP's to that group. This is a very basic way but the 5505 can only handle so much.

Author Comment

ID: 39942896
Hi there,

THANK YOU for the response. That is unfortunately what I suspected.

We have created a "BAD IP" Network Object Group.

Then we created an ACCESS RULE under the INSIDE INTERFACE and set it to DENY. We made it the FIRST RULE.

Will that work as you are suggesting.

Can you recommend a good IDS/IPS sensor? We have ~25 clients on our internal network.

Thanks again. Your response was quite helpful.
LVL 17

Expert Comment

by:James H
ID: 39942923
No, wrong interface. You need to put that ACL on your outside interface and make it the first rule. Remember that the firewall processes by order of rules and if another rule satisfies the request it will not look past that rule.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 39942935
Ahh -
well, we were following this article:

Is it wrong?

Can you recommend a good IDS/IPS sensor? We have ~25 clients on our internal network.

My understanding is that this device would go BEFORE the firewall.
ISP WAN > IPS Sensor > Cisco WAN Port

Is that accurate?
LVL 17

Expert Comment

by:James H
ID: 39942994
That is blocking an internal host to an external IP, not the same thing or wrong but doesn't apply to what you are looking for.

A good IDS/IPS sensor would inspect inside and outside, not just outside.
Outside - IPS - Firewall - (SPAN port) IPS Inside, (SPAN port) IPS Inside DMZ

A good IDS sensor is really based on budget.
Here are vendors that have sensors which are very good:

TippingPoint - HP

Keep in mind that these devices are very expensive

Author Comment

ID: 39943027
Thanks for the information!

It looks there aren't any IPS's available for at a < $1,000 price?
LVL 17

Expert Comment

by:James H
ID: 39943118
There are open source options that you could consider but you will ultimately have to decide what is best for your situation and organization.





Author Comment

ID: 39943270
Gotchya. I appreciate all the help.

#1 I contacted ZyXEL and they said that they believed their ZyXEL USG series would work if we purchase the security subscription service. This allows traffic to be blocked based upon known patterns and also has limited for requests.

Do you think this could be a good option?

#2 My understand is that an IPS/IDS replaces our existing firewall. It is not designed to sit outside of the permitter of the network. Is that accurate?

#3 Our biggest issue right now is the outbound RESPONSES that our internal network sends out in response to these inbound requests.
Because cell phones connect to exchange using port 443, we do need the service to respond in those cases.
What I'm wondering is this:
Would there be any way to limit the RESPONSES to requests on port 443 on the SBS 2011 server itself? I.e. IIS configuration or Exchange configuration? Just shooting in the dark here.

I realize that incoming requests would still get through our firewall, but as long as we don't respond, we would resolve the troubles we're having with our ISP.

#4 Does this look OKAY? "CMTEL=Outside Interface/ISP"

Author Comment

ID: 39943373
Nevermind - requires forefront.

Author Comment

ID: 39943914
What are your thoughts on this feature?


Or - Directly on the Exchange server:



I'm considering this stuff because port 443 is being targeted.

I'm wondering if I can simply limit the connections to the server in which the 443 service is in-use.

What are your thoughts on this?
LVL 17

Expert Comment

by:Marius Gunnerud
ID: 39944914
The link to the cisco document you post is for IOS and not ASA... but the ASA does have a similar feature.

If this is a TCP syn attack then you could do several things; limit the number of allowed half-open connection (embryonic connections), rate-limit the number of allowed syn messages per second.

LVL 17

Expert Comment

by:James H
ID: 39944969
IDS/IPS does NOT replace your firewall. This is in addition to it as another layer of security but it cannot replace your firewall. NextGEN firewalls have a one box solution for IPS/IDS and F/W and a few other things but these devices are out of your price range at the moment.

Throttling policy is for existing Exchange users, not going to stop DOS attack.

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question