DDOS attacks?

Answered Question
Jun 26th, 2008

hello security people, help me to find answer to my security question.

here is the problem: i have cisco 6506 , 48 gig. interfaces and 9 SFP,and one firewall module. one SFP interface is connected to the ISP, and gigethernet to small offices. there is some virus in some computer that blocks my bandwith from ISP. i checked with "sh int gig x/y" that upload is 90Mbs . wow!!! then i decided implement MQC based policing on gigx/y interface. after some minut there was another attack that not just lock my bandwith and also killed my cisco6506. , it was terrible... after 10-15 minut attack is stoped, i check policing with "sh policy-map int gigx/y" and saw that cisco droped 8Gbyt. hey people help to find solution, any suggestion? is there any black-list to block ip address attacker automaticaly?

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 6 months ago

No there is no such thing on the ASA to my knowledge. Maybe on the CSC module for anti-spam etc. but no on the ASA itself.

Regards

Farrukh

Correct Answer by Farrukh Haroon about 8 years 6 months ago

Here are some suggestions:

1) if you have FWSM, use www.fireplotter.com trial version to profile the traffic, then you can use clear local-host command to clear off the sessions from the firewall

2) Use Netflow

http://www.securityfocus.com/infocus/1796

3) Try to update your systems with updated anti-virus defs, and 'detect' the worm-name exactly. Google the remediation procedure for that worm and start your work....

4) Temporarily make your firewall policy HTTP + necessary ports only (if it was not permit any any before).

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Correct Answer
Farrukh Haroon Thu, 06/26/2008 - 21:57

Here are some suggestions:

1) if you have FWSM, use www.fireplotter.com trial version to profile the traffic, then you can use clear local-host command to clear off the sessions from the firewall

2) Use Netflow

http://www.securityfocus.com/infocus/1796

3) Try to update your systems with updated anti-virus defs, and 'detect' the worm-name exactly. Google the remediation procedure for that worm and start your work....

4) Temporarily make your firewall policy HTTP + necessary ports only (if it was not permit any any before).

Regards

Farrukh

noodles44 Thu, 06/26/2008 - 22:36

xm... i found that virus, there were 5 infected computers. but it is posible the system can infect again and again because i have not any access to user computers.

can firewall block that attacks itself? is there any feature like black-list?

Farrukh Haroon Fri, 06/27/2008 - 02:17

well you can implement the black-list (if you know the rogue IPs) using a simple access-list.

Regards

Farrukh

Correct Answer
Farrukh Haroon Fri, 06/27/2008 - 02:58

No there is no such thing on the ASA to my knowledge. Maybe on the CSC module for anti-spam etc. but no on the ASA itself.

Regards

Farrukh

trippi Mon, 06/30/2008 - 18:25

You could configure threat detection and have the ASA automatically shun the IP based on thresholds...

Actions

This Discussion