cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2441
Views
0
Helpful
5
Replies

How to stop DDOS attack on Web Server

aijaz802
Level 1
Level 1

Hi,

One of our customers webserver is hosted with us and its behind the ASA & IPS with standard IPS configuration. I have also enabled some signatures related to IIS n DDOS. The website is constantly under DDOS attack from various IP addresses, each single IP address with different source ports is opening more than 20 session at a time to the web server n consuming the server resources and bandwidth, the IPS is not able to detect this. I have also enabled netflow on ASA for this server and the netflow report showing normal with different source IP addresses and ports. The webserver is constantly under attack even when it is present with other DSP/ISP.

Is there option I need to configure in IPS or ASA to stop this. The IPS signature is latest updated.

Thanks,

Aijaz

5 Replies 5

Panos Kampanakis
Cisco Employee
Cisco Employee

There are DDos signatures in the IPS. You might need to tune them depending on the attack.

Also you can set embryonic connection limits on the ASA if the connections the attackers open ar half-open.

I hope it helps a little.

PK

aijaz802
Level 1
Level 1

Hi,

Thanks for the info, I have set the per-client-embryonic-max  n per-client-max to 5 with proper policy-map n class-map, but I dont know whether its in effect or not. Is there any way to see the hits for this?

I have enabled all the default DDOS n webserver related high risk signatures but none of them seems to hit. I created a new Service HTTP signature with Max Header Filed Length to 20 and Maximum Request Field Length to 20, it has stopped 50% hits for this server, but it also stopping access to some other web servers. Is there any way I can enable this signature only for a particular webserver instead of whole traffic going thru the IPS.

Thanks,

Aijaz

For the fist question you can do "sh service-policy" to see the statistics.

you can enable a signature for certain hosts using a filter.

I hope it helps.

PK

Would you please elaborate on filter, I couldn't find any option in the signature to do filtering...except rules0/eventactionfilters which is not related here..

You can make use of an event action filter (EAF) to remove the desired actions for the signature in question.  You can find out more about event action rules, including event action filters, here:

http://www.cisco.com/en/US/partner/docs/security/ips/7.0/configuration/guide/idm/idm_event_action_rules.html

You could also configure your signature to only fire when a specific IP address (or collection of IP addresses) is the victim.

Scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: