Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
552
Views
0
Helpful
2
Replies

Question regarding a DDOS attack

fedecotofaja
Level 1
Level 1

‎09-22-2009 01:57 PM - edited ‎03-10-2019 04:46 AM

Hi!

I am having a very ugly problem :-(

I have a 10MB Internet connection going through a 7206, then two ASAs in failover and then a Cisco CSS with a cluster of 3 web servers that receive constant HTTP transactions. The web servers hold a single web page with a single public IP address that is under attack.

I have a Netflow Analizer showing thousands of HTTP connections (valid HTTP connections, getting a 200 ok response from the web server)... but trying to reach an unexistent directory.

Thousands and thousands of these connections from thousands of different IP addresses. (Besides all the valid HTTP transactions)

My ISP is telling me that since all the HTTP requests are valid, there's no way for them to ''block'' this attack.

I am thinking about an IPS Sensor, creating a signature that blocks that traffic specifically, but if the directory or the attack changes, we need to constantly modify the signatures...

We've tried the Cisco Traffic Anomaly Detector and Guard and it did not detect the traffic as an attack!

Can somebody point me out in the right direction for an approach to this situation?

Best Regards,

Federico.

Labels:
0 Helpful
2 Replies 2

Farrukh Haroon
VIP Alumni
VIP Alumni

‎09-28-2009 02:14 AM

First you need to analyze those source IPs (use Whois), sometimes one changes the structure of their website and the search engine bots (e.g. google) keep referencing the old pages. What I mean to say is that, its not always an 'attack'. Check the source IPs of the HTTP requests!

Your web-server should return the correct HTTP response code (404) for the search engines to remove your pages from their index (This is true even in normal circumstances).

If its a legitimate attack, you can block it both at the ASA or at the IPS Level. However this sort of functionality is better achieved through Application Firewalls (WAF).

Have a look at:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

http://www.cisco.com/en/US/products/ps9586/index.html

Please rate if helpful.

Regards

Farrukh

0 Helpful

vasile.borcan
Level 1
Level 1

‎05-15-2010 05:22 PM

Hi,

You should find Andrisoft's new product called WANGuard extremly useful just for that. We use it to detect DDoS attacks using NetFlow and mitigate them.

Regards,

Vasile Borcan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card