×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA5512x settings

Unanswered Question
Oct 11th, 2013
User Badges:

Hey there,


We got one colocation and use one 2960 for all servers with an ip block /26. Now there's a server been attacked by DDOS which cause whole network slow down. We plan to buy one cisco asa 5512x in the front to prevent this kind of attack.  The provider says we have to get another /29 config in asa, then connect /26 on 2960.  Because all servers are all the same, open to public, no internal ip, no vlan, no nat, can we just use one /26 on both asa and 2960 and setup some rules on asa to prevent attack. we are new to asa series. please kindly advise. thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
James Leinweber Mon, 10/14/2013 - 12:26
User Badges:
  • Silver, 250 points or more

It's possible to run the ASA in "transparent" mode with the management interface on the /26 and no separate vlan.


However, this may or may not solve your DDOS problem.   If the problem is that the end hosts are experiencing high CPU processing DDOS packets, and that the DDOS packets are of a type that can be filtered on the ASA, then the ASA might help.  In the more likely case that that the DDOS is targeting a service the end hosts is providing (like HTTP, or DNS, or FTP), and which would be permitted through the firewall anyway, the firewall will have little effect on the DDOS.   Or if the problem is that your WAN link is being starved for bandwidth by the DDOS, putting an ASA on the far end of the congested segment will have no effect; you need to block the traffic upstream at the ISP, or sign up with a a content distribution network which can evade the DDOS by using multiple high-bandwidth connections distributed at many geographically separated sites.


Do you know if the DDOS is aimed at you specifically, or are you collateral damage for some previous user of the affected IP addresses?   If it's the latter, you might be able to hide from the DDOS by changing to a different /26 block from your ISP.


-- Jim Leinweber, WI State Lab of Hygiene

hostingtt Tue, 10/15/2013 - 16:43
User Badges:

Thanks. Jim. You are correct. ASA can work in transparent mode which acts like layer 2 switch. We can keep IP config no change on switch and add some rules like embryonic-conn-max on ASA to prevent DDOS attack. Based on your reply, it seems, If attacks focus on specific services or server which is our case now, we can do something on ASA to prevent it. If it's bad IP block been previously attacked, we have to change to other IP block ? that doesn't sound good solution.


Because we provide servers to our clients and they can do anything on the servers, If ASA is not enough to prevent attack, could you please kindly suggest some other or more powerful solution ?  I know someone data centers use null routes/blackhole filtering to protect from attack. Can ASA do the same thing ? Thanks.

James Leinweber Wed, 10/16/2013 - 08:28
User Badges:
  • Silver, 250 points or more

I don't think there is any DDOS prevention silver bullet.   An ASA firewall probably has about as many anti-DDOS features as most other firewalls, so it's not a bad choice as a firewall.  By all means, use its features to protect the downstream clients.  But what defensive measures you take depends on what the attack is like.   This week, large DDOS attacks involve about 300 Gb/s of traffic originated from 100k botnet zombies and sustained for many hours; an ASA is not going to help much with that.  Unless your clients are the size and visibility of something like Wells Fargo bank, you probably won't find that aimed at them.


Examples:

- coping with immense attacks requires distributing the service widely geographically and replicating the content; the ASA won't help

- spoofed packets (e.g. DNS amplifications) saturating the uplink bandwidth have to be dealt with on routers upstream of the saturated link to the ASA; the ASA won't help

- saturating the downstream service with legitimate requests to starve out the real users in a resource exhaustion attack is something the ASA can only partially mitigate; you may be able to rate-limit the attacking clients somewhat and protect the downstream server from embryonic connections somewhat; but if a server can handle 10k HTTPS connections per second and it is receiving 20k/s of malicious ones, the ASA isn't going to help much

- If the problem is an unsophisticated low-bandwidth attack where the upstream link isn't saturated and either the real clients can be distinguished by an ACL or the attack packets aren't for services permitted by the ACL's, then the ASA will easily prevent the attack from annoying the downstream server.


It all depends on the network topology, service characteristics, and attack profile.  The bottom line is that the ASA is a decent firewall, but not much of an anti-DDOS tool.


-- Jim Leinweber, WI State Lab of Hygiene

Actions

This Discussion