Can inspection do this or do I need IDS?

patrick.peters · ‎11-16-2007

We have an ASA 5520 and I'm new to the inspection features of the IOS (version 7.2(2)).

I've got someone occasionally taking a brute force login attack to our FTP server. It always originates from a different IP address, so it's difficult to shun unless you happen to catch it in progress. I'd like to teach the ASA to shun the source IP address after some number of failed login attempts to the FTP server.

I haven't found a way to use application inspection to detect a failed login attempt to the FTP server, but I'm new to this kind of inspection. Am I missing something in the capabilities of the ASA or do I need an IDS to detect the threat and then tell the ASA to stomp on it?

Thanks

Patrick

rajbhatt · ‎11-19-2007

Hi Patrick,

Try creating a class map with a policy map that would be bound to teh service policy and open a port for inspection :

access-list global_mpc extended permit tcp any any eq 21

class-map TCP-traffic

match access-list global_mpc

policy-map global-policy

class TCP-traffic

set connection timeout embryonic 0:05:00

Raj

patrick.peters · ‎11-21-2007

Hi Raj,

Thanks for the suggestion. I want to make sure I understand what it's doing.

I looks like you're applying a connection timeout to the ftp traffic. If I understand the timeout correctly, this would take care of connections that haven't fully formed yet (that's the embryonic, right?). If so, I'm not sure that will catch my tormentor. If he's tryinig to log into the ftp server, that connection is fully formed from a TCP standpoint. It's the ftp layer that's embryonic, not the tcp layer.

Am I missing something?

Thanks

Pat

sbaddipudi · ‎11-21-2007

Hi Patrick,

Can you trace the IP of the attacker? Can you trace it to an ISP? What I am getting at is that if the attacker is coming from an ISP in a country where you have no business with, you can as well block the whole range that belongs to that ISP. Just a thought. Quick Solution.

Satya

patrick.peters · ‎11-21-2007

They change IP addresses every time they come at us. I think they're all coming from Brazil, but I don't know if they're all coming from the same ISP. I guess I could do a pretty big blocking action, but that seems like a dull tool to solve this problem.

sbaddipudi · ‎11-21-2007

Yeah I know.

You can use the inspection (IOS world - you can use CBAC or tcp intercept) to limit the embryonic connections, so that you can protect yourself. But for the quick mitigation, just block that range, so that it discourages the attacker and gives you time to come up with a strategy. Right now you are seeing DoS attack, but if he is looking for venues to penetrate into the network, thats a issue.

Satya

patrick.peters · ‎11-21-2007

It's not really a DoS attack, so much. They'll come at us for 15 mintues (you can set your watch by the duration), from a different IP address each time. They're connecting to the server and then running user names and passwords, brute force.

So, it's not quite a DoS attack. More like password cracking. Makes them a little harder to chase away because you need to recognize that the TCP connection is fine but the application layer logins are not.

sbaddipudi · ‎11-21-2007

Hi Patrick,

Where do they login into? I assume your FTP server, right? What do you guys have? - plain ftp? or sftp? or ftps?

Satya

patrick.peters · ‎11-21-2007

Right now, it's just the basic ftp that comes with Microsoft IIS. We're looking at other FTP servers that could defend themselves. I was hoping I could get the ASA to help me so I wouldn't have to spend any money :-)

sbaddipu · ‎11-21-2007

Is that the local login authentication or through some AD? You may be able to protect login attack by configuring AD.

But for what you are looking at, you may be able to do it using IDS. I donot exactly remember but you may be able to download ACLs dynamically onto the interfaces from IDS - shun ...something like that

Satya