Cisco ASA 5505 ASDM DoS Protection

Hi there,

We have a CISCO ASA 5505 which we primarily manage through the ASDM 6.2 GUI.

We have had an issue with a Denial of Service attack (not any DDOS's yet) coming from a single IP and hitting our open 443 port. We used port mirror / wireshark to determine the source of the attack. The most recent attacking IP was:

The incident happens like this:
Attacking IP sends a request to our public IP port 443. Cisco translates it and forwards the request to our Exchange server. (OWA runs on 443). Exchange server responds.
This happens about 1,000 in 1 second.

Our ISP has DoS filters enabled for OUTGOING packets ONLY. When we respond to these requests it flags our account with our ISP and they temporarily disable our internet. (at the Virtual Port Bridge)

HOW DO WE STOP THIS ATTACK? Specifically, how do we NOT respond to rapid requests that are indicative of a DoS attack but DO still respond to legitimate requests?

We have services dependent on 443 so we can not block the port it at the firewall.

Under Firewall > Threat Detection we have "Enable basic threat detection" enabled.

What else can we do through the Cisco ASDM 6.2 interface to protect against these types of attacks?

Please do hesitate to ask if I need to clarify anything about this request.
Who is Participating?
James HIT DirectorCommented:
Firewall cannot do that. For the function you are asking for would require an IDS/IPS sensor that will inspect the traffic and react as per how it was configured. Stateful firewalls cannot prevent a DOS attack but you could just create a "BAD IP" ACL group and just deny access by adding those IP's to that group. This is a very basic way but the 5505 can only handle so much.
MPATechTeamAuthor Commented:
Hi there,

THANK YOU for the response. That is unfortunately what I suspected.

We have created a "BAD IP" Network Object Group.

Then we created an ACCESS RULE under the INSIDE INTERFACE and set it to DENY. We made it the FIRST RULE.

Will that work as you are suggesting.

Can you recommend a good IDS/IPS sensor? We have ~25 clients on our internal network.

Thanks again. Your response was quite helpful.
James HIT DirectorCommented:
No, wrong interface. You need to put that ACL on your outside interface and make it the first rule. Remember that the firewall processes by order of rules and if another rule satisfies the request it will not look past that rule.
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

MPATechTeamAuthor Commented:
Ahh -
well, we were following this article:

Is it wrong?

Can you recommend a good IDS/IPS sensor? We have ~25 clients on our internal network.

My understanding is that this device would go BEFORE the firewall.
ISP WAN > IPS Sensor > Cisco WAN Port

Is that accurate?
James HIT DirectorCommented:
That is blocking an internal host to an external IP, not the same thing or wrong but doesn't apply to what you are looking for.

A good IDS/IPS sensor would inspect inside and outside, not just outside.
Outside - IPS - Firewall - (SPAN port) IPS Inside, (SPAN port) IPS Inside DMZ

A good IDS sensor is really based on budget.
Here are vendors that have sensors which are very good:

TippingPoint - HP

Keep in mind that these devices are very expensive
MPATechTeamAuthor Commented:
Thanks for the information!

It looks there aren't any IPS's available for at a < $1,000 price?
James HIT DirectorCommented:
There are open source options that you could consider but you will ultimately have to decide what is best for your situation and organization.


MPATechTeamAuthor Commented:
Gotchya. I appreciate all the help.

#1 I contacted ZyXEL and they said that they believed their ZyXEL USG series would work if we purchase the security subscription service. This allows traffic to be blocked based upon known patterns and also has limited for requests.

Do you think this could be a good option?

#2 My understand is that an IPS/IDS replaces our existing firewall. It is not designed to sit outside of the permitter of the network. Is that accurate?

#3 Our biggest issue right now is the outbound RESPONSES that our internal network sends out in response to these inbound requests.
Because cell phones connect to exchange using port 443, we do need the service to respond in those cases.
What I'm wondering is this:
Would there be any way to limit the RESPONSES to requests on port 443 on the SBS 2011 server itself? I.e. IIS configuration or Exchange configuration? Just shooting in the dark here.

I realize that incoming requests would still get through our firewall, but as long as we don't respond, we would resolve the troubles we're having with our ISP.

#4 Does this look OKAY? "CMTEL=Outside Interface/ISP"
MPATechTeamAuthor Commented:
MPATechTeamAuthor Commented:
Nevermind - requires forefront.
MPATechTeamAuthor Commented:
What are your thoughts on this feature?

Or - Directly on the Exchange server:


I'm considering this stuff because port 443 is being targeted.

I'm wondering if I can simply limit the connections to the server in which the 443 service is in-use.

What are your thoughts on this?
Marius GunnerudSenior Systems EngineerCommented:
The link to the cisco document you post is for IOS and not ASA... but the ASA does have a similar feature.

If this is a TCP syn attack then you could do several things; limit the number of allowed half-open connection (embryonic connections), rate-limit the number of allowed syn messages per second.
James HIT DirectorCommented:
IDS/IPS does NOT replace your firewall. This is in addition to it as another layer of security but it cannot replace your firewall. NextGEN firewalls have a one box solution for IPS/IDS and F/W and a few other things but these devices are out of your price range at the moment.

Throttling policy is for existing Exchange users, not going to stop DOS attack.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.