A friend has an ASA 5505 that is getting DOS'd primarily from a couple of IPs at port 53.
The effect appears to be that the 5505 rebooted itself. For the short term I told him to
turn off the logging for that rule thinking that perhaps the massive amount of logging for
all that deny activity is what caused the reboot. And I suggested to put in specific deny
rules for the attacking IPs with no logging. Are there other action that would help
deal with this kind of attack? Thanks.
Tell your friend that you could configure some DDOS prevention actions on the firewall via the Modular Policy Framework (Timeouts, maximum amount of connections to a host or per-host, etc) but the real deal will be to go to the ISP and let them know what is going on... You want them to block that traffic at their circuit...
Why is that?
Because even if you block that traffic on your ASA, it already has taken bandwith that real and legitimate traffic might want to use it, Do you see the real problem here?
For Networking Posts check my blog at http://laguiadelnetworking.com/
Julio Carvajal Segura