08-29-2013 02:31 AM - edited 03-11-2019 07:32 PM
Good day everybody!
I have ASA 5510 v8.3. Now I am under attack by botnet on port 60595. I ordered ASA Botnet Traffic Filter Feature, but it comes in 2 weeks only.
At the moment, I need to block certain port (60595) on outside interface.
Which commands should I apply to external (outside) interface of my ASA?
Is it something like...:
access-list antibotnet deny tcp any any eq 60595
access-list antibotnet allow TCP any any
access-group antibotnet in interface outside
But it seems to me, that applying this rules will allow all traffic except port 60595... =((((
May be, I should add this rule "access-list **** deny tcp any any eq 60595" to any of existing ACLs, applied to ouside?
Please, help me!!!
Many thanks in advance!!!
Solved! Go to Solution.
08-29-2013 02:44 AM
Hi,
You can only have one ACL per INTERNET per DIRECTION
So if you already have an ACL configured/attached with an "access-group" command and attached to the "in" direction then you are probably already blocking this port to any hosts that have Static NAT configured since the WAN interface ACLs are usually configured so that you only allow the services that you need and rest of the traffic is blocked.
That is, unless you have permitted all TCP ports with either "permit tcp" or "permit ip" commands. In this case you should add the mentioned "deny tcp" statement to the top of the ACL currently attached to your ASA WAN interface with the "line" parameter in the ACL command
For example
access-list
access-list
You can also confirm if its being blocked with "packet-tracer" command
For example
packet-tracer input
- Jouni
08-29-2013 04:12 AM
Hi,
Remember ofcourse that you need to replace the
The above will enter those lines to the existing ACL. The ACL lines currently in those lines will not be removed. They will just be moved down in the order of ACL rules.
Naturally if you dont save the configuration a reboot would result in returning the last saved startup configuration. Easier way would be just to remove those lines that were configured.
- Jouni
08-29-2013 05:04 AM
Hi,
If the ACL is blocking all the traffic needed then the connection attempts will either dropped or dropped and resetted by the firewall depending on the settings.
I imagine your current settings could be determined with the command
show run all service
Here is a link to the possible configuration settings you will see with the above
http://www.cisco.com/en/US/docs/security/asa/command-reference/s1.html#wp1452931
For the command you mention, here is the Configuration Guide section for it
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_tools.html#wp1056358
I would imagine that if something matches the ASA signatures it would take the action specified in your above command.
We handle IPS/IDS with different equipment which I dont personally manage so I have very little expirience with them (though I will have to eventually learn them )
- Jouni
08-29-2013 02:44 AM
Hi,
You can only have one ACL per INTERNET per DIRECTION
So if you already have an ACL configured/attached with an "access-group" command and attached to the "in" direction then you are probably already blocking this port to any hosts that have Static NAT configured since the WAN interface ACLs are usually configured so that you only allow the services that you need and rest of the traffic is blocked.
That is, unless you have permitted all TCP ports with either "permit tcp" or "permit ip" commands. In this case you should add the mentioned "deny tcp" statement to the top of the ACL currently attached to your ASA WAN interface with the "line" parameter in the ACL command
For example
access-list
access-list
You can also confirm if its being blocked with "packet-tracer" command
For example
packet-tracer input
- Jouni
08-29-2013 03:58 AM
Jouni, many thanks to you!
Will these commands
access-list
access-list
replace my existing two lines? Or it will be saved?
Could it be also accomplished with web-interface of ASA?
If something goes wrong, may I manually reset ASA or execute a reload command? Without doing write mem...
Thanks!
08-29-2013 04:12 AM
Hi,
Remember ofcourse that you need to replace the
The above will enter those lines to the existing ACL. The ACL lines currently in those lines will not be removed. They will just be moved down in the order of ACL rules.
Naturally if you dont save the configuration a reboot would result in returning the last saved startup configuration. Easier way would be just to remove those lines that were configured.
- Jouni
08-29-2013 04:38 AM
Jouni, thank you!
How do you think, in my ASA 5510 ver 8.3 if I simply execute
ip audit attack action reset
command - wouldn't it prevent current botnet attack?
08-29-2013 05:04 AM
Hi,
If the ACL is blocking all the traffic needed then the connection attempts will either dropped or dropped and resetted by the firewall depending on the settings.
I imagine your current settings could be determined with the command
show run all service
Here is a link to the possible configuration settings you will see with the above
http://www.cisco.com/en/US/docs/security/asa/command-reference/s1.html#wp1452931
For the command you mention, here is the Configuration Guide section for it
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_tools.html#wp1056358
I would imagine that if something matches the ASA signatures it would take the action specified in your above command.
We handle IPS/IDS with different equipment which I dont personally manage so I have very little expirience with them (though I will have to eventually learn them )
- Jouni
08-29-2013 05:24 AM
I am sorry, but output from this command is very large - what exactly should tell me whether port 60595 is open?
inet-gw# packet-tracer input internet tcp 1.1.1.1 12456 37.77.133.242 60595
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 37.77.133.242 255.255.255.255 identity
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Internet
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: Internet
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
My output from access-list command is
inet-gw# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list default; 1 elements; name hash: 0xab7c92cd
access-list default line 1 extended permit ip any any (hitcnt=78823019) 0xa4b61d1a
access-list outside_access; 9 elements; name hash: 0xee117655
access-list outside_access line 1 extended permit tcp any host 192.168.115.129 eq echo (hitcnt=0) 0x8dd39078
access-list outside_access line 2 extended permit ip host 93.189.150.162 host 192.168.100.5 (hitcnt=2545) 0xda5702de
access-list outside_access line 3 extended deny tcp any host 192.168.100.5 eq 8080 (hitcnt=121) 0xb7157de9
access-list outside_access line 4 extended deny tcp any host 192.168.100.5 eq 3306 (hitcnt=24) 0xe3523179
access-list outside_access line 5 extended deny tcp any host 192.168.100.5 eq www (hitcnt=2039) 0x853ba124
access-list outside_access line 6 extended deny tcp any host 192.168.100.5 eq ssh (hitcnt=61) 0xb5c2764a
access-list outside_access line 7 extended permit ip any host 192.168.100.22 (hitcnt=1760) 0x9528e39f
access-list outside_access line 8 extended permit ip any object NAT-EMTS 0x11873501
access-list outside_access line 8 extended permit ip any 192.168.96.0 255.255.224.0 (hitcnt=21785204) 0x11873501
access-list outside_access line 9 extended permit ip any object NAT-Internet 0x8275f9b1
access-list outside_access line 9 extended permit ip any 192.168.96.0 255.255.224.0 (hitcnt=0) 0x8275f9b1
access-list VPN-remote; 1 elements; name hash: 0xdf750072
access-list VPN-remote line 1 standard permit 192.168.96.0 255.255.224.0 (hitcnt=0) 0x30c28b82
inet-gw#
08-29-2013 05:29 AM
Hi,
If you only have the public IP address of your ASAs "outside" interface and you dont have any Static PAT configuration for the port TCP/60595 then the traffic is already dropped because there is no matching NAT configuration on the firewall and the ACL doesnt even come to the picture.
If you had a NAT configuration that would match the "packet-tracer" commands destination IP address and port then you would be seeing a "UN-NAT" Phase in the output. Since we dont see it you dont have any NAT configuration that would even enabled this connection to cross the firewall from "outside" to "inside"
Naturally we have not yet seen your configurations or the actual information that you have used to determine what to block on the ASA
- Jouni
08-29-2013 05:37 AM
Is it enough to execute show nat to get the configuration?
08-29-2013 05:43 AM
Hi,
To me the "packet-tracer" output already seems to show that there is no NAT configuration on your firewall which would enable a external host to connect to some device behind the firewall with the destination IP of your "outside" interface and with the destination port TCP/60595
The command "show nat detail" would give detailed information of the NAT configurations on the firewall BUT as I said, the above already seems to indicate that there are no NAT configurations matching the traffic.
Though I am not sure if we are even looking at the right thing as I am not sure how you have defined that the port TCP/60595 should be blocked.
Are you perhaps seeing some Syslog messages?
- Jouni
08-29-2013 05:50 AM
Jouni,
Thank you very much for your help!!!
It seems to me that it is my inside traffic to external hosts on port 60565... =(( So, infested PCs are inside my LAN.
Now i try to identify them...
Thank you!!!
08-29-2013 05:18 AM
ip audit probably won't have any positive effect in your situation. The build-in signatures mainly match on outdated threats and some basic atacks. Even in official Cisco trainings they are mot mentioned any more.
And I assume that also the Botnet-traffic-filter won't work in your situation. That system is not ment to protect you from a botnet that is attacking you. The purpose is to limit the communication with the botnet for clients that are infected and with this to make sure that you are not participating in a botnet yourself.
A dedicated (Cisco)-IPS could help based on the reputation system. If the hosts attacking you have a bad score the IPS could drop the traffic immediately. But for that you would need a dedicated appliance or an AIP-SSM in your ASA together with the proper licensing and subscription.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide