×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Deny inbound UDP flood

Unanswered Question
Apr 3rd, 2014
User Badges:

We are receiving thousands of "Deny inbound UDP from x.x.x.x/53 to x.x.x.x/2713 due to DNS Response" per minute on our ASA 5510. All of the responses are destined to a signal one of our external IP's. This is overloading the our ASA and preventing traffic getting out to the Internet during these attacks. Anyone have any suggestions as to what we can do to mitigate this problem? Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Seb Rupik Fri, 04/04/2014 - 01:19
User Badges:
  • Silver, 250 points or more

Hi William,

if the traffic is hitting your ASA then there is nothing you can do at that location. Do you have a router which you adminster upstream of it? If so, look at using CAR:

http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-softwar...

 

Failing that, your ISP should be able to assit in either to configure rate limiting to your external address, or block the UDP traffic to it.

 

cheers,

Seb.

William Gill Mon, 04/07/2014 - 12:46
User Badges:

The Cisco TAC - Engineer we spoke to recommended we allow any any udp port 53 inbound to correct the problem. I don't see how allowing udp port 53 traffic into our network would solve the problem but it with stop the deny messages. Does this sound like a good idea?

Seb Rupik Thu, 04/10/2014 - 04:00
User Badges:
  • Silver, 250 points or more

If this really is an attack then allowing the traffic into your network is not the correct action!

How is the problem manifesting itself? If the outbound link is being saturated with traffic then talk to your ISP

If you think the volume of syslog messages on your ASA is causing a performance problem, then you can configure the message ID to appear at a higher syslog level so that it does not appear at your current logging level. Obviously this would be in effect for all messages of this type so you may not be aware of similar attacks taking place.

Talk to your ISP :)

 

cheers,

Seb.

Actions

This Discussion