Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

DDoS Attack Using SSDP

For the last one month we have been hit by DDOS attacks that seem to be using SSDP (Port 1900 UPD). It’s just happed today and it lasted 15 mins…during which time our internet connection (Comcast Business line. 100/20 MB) came to a crawl. No one could access anything on the net.

How can I mitigate this attacks…. I have configured the ASA 5510 like this

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit name OUTSIDE_ATTACK attack action alarm drop

ip audit name OUTSIDE_INFO info action alarm

ip audit name INSIDE_ATTACK attack action alarm drop reset

ip audit name INSIDE_INFO info action alarm

ip audit interface outside OUTSIDE_INFO

ip audit interface outside OUTSIDE_ATTACK

ip audit interface inside INSIDE_INFO

ip audit interface inside INSIDE_ATTACK

ip audit signature 1002 disable

ip audit signature 2000 disable

ip audit signature 2001 disable

ip audit signature 2004 disable

ip audit signature 2005 disable

ip audit signature 6051 disable

ip audit signature 6053 disable

 

Any other tricks. More more information attacked

 

ATTACK Partial log.

Here is a sample of some logs I captured.

  51: 11:08:44.495228 183.203.151.166.1900 > 50.XXX.XXX.XXX.80:  udp 320

  52: 11:08:44.495244 27.203.166.105.1900 > 50.XXX.XXX.XXX.80:  udp 326

  53: 11:08:44.498158 111.39.184.120.1900 > 50.XXX.XXX.XXX.80:  udp 288

  54: 11:08:44.501896 98.228.91.18.1900 > 50.XXX.XXX.XXX.80:  udp 245

  55: 11:08:44.501927 221.210.161.54.1900 > 50.XXX.XXX.XXX.80:  udp 268

  56: 11:08:44.502690 81.167.61.109.1900 > 50.XXX.XXX.XXX.80:  udp 286

  57: 11:08:44.503468 96.35.27.211.1900 > 50.XXX.XXX.XXX.80:  udp 247

  58: 11:08:44.503498 111.39.184.120.1900 > 50.XXX.XXX.XXX.80:  udp 268

  59: 11:08:44.503529 76.16.192.25.1900 > 50.XXX.XXX.XXX.80:  udp 307

  60: 11:08:44.504414 46.19.66.66.1900 > 50.XXX.XXX.XXX.80:  udp 307

  61: 11:08:44.504444 76.173.58.15.1900 > 50.XXX.XXX.XXX.80:  udp 284

  62: 11:08:44.505878 2.49.240.153.1900 > 50.XXX.XXX.XXX.80:  udp 317

  63: 11:08:44.505924 60.208.123.210.1900 > 50.XXX.XXX.XXX.80:  udp 314

  64: 11:08:44.506748 70.95.161.23.1900 > 50.XXX.XXX.XXX.80:  udp 245

  65: 11:08:44.507694 121.206.190.17.1900 > 50.XXX.XXX.XXX.80:  udp 268

  66: 11:08:44.507725 111.39.184.120.1900 > 50.XXX.XXX.XXX.80:  udp 242

  67: 11:08:44.507740 121.206.190.17.1900 > 50.XXX.XXX.XXX.80:  udp 290

  68: 11:08:44.507770 192.251.249.83.1900 > 50.XXX.XXX.XXX.80:  udp 302

  69: 11:08:44.508488 58.210.95.138.1900 > 50.XXX.XXX.XXX.80:  udp 326

  70: 11:08:44.508518 58.210.95.138.1900 > 50.XXX.XXX.XXX.80:  udp 314

  71: 11:08:44.509342 71.95.40.47.1900 > 50.XXX.XXX.XXX.80:  udp 305

  72: 11:08:44.509418 121.206.190.17.1900 > 50.XXX.XXX.XXX.80:  udp 326

  73: 11:08:44.509434 70.95.161.23.1900 > 50.XXX.XXX.XXX.80:  udp 323

  74: 11:08:44.509449 71.95.40.47.1900 > 50.XXX.XXX.XXX.80:  udp 307

  75: 11:08:44.509464 81.200.247.20.1900 > 50.XXX.XXX.XXX.80:  udp 291

  76: 11:08:44.510898 59.45.34.2.1900 > 50.XXX.XXX.XXX.80:  udp 268

  77: 11:08:44.510929 84.208.252.214.1900 > 50.XXX.XXX.XXX.80:  udp 234

  78: 11:08:44.510959 76.173.58.15.1900 > 50.XXX.XXX.XXX.80:  udp 229

  79: 11:08:44.510975 46.19.66.66.1900 > 50.XXX.XXX.XXX.80:  udp 305

  80: 11:08:44.511097 186.68.236.141.1900 > 50.XXX.XXX.XXX.80:  udp 300

  81: 11:08:44.511966 74.58.171.63.1900 > 50.XXX.XXX.XXX.80:  udp 307

  82: 11:08:44.511997 111.39.184.120.1900 > 50.XXX.XXX.XXX.80:  udp 290

  83: 11:08:44.512012 123.55.81.145.1900 > 50.XXX.XXX.XXX.80:  udp 326

  84: 11:08:44.512043 1.189.11.236.1900 > 50.XXX.XXX.XXX.80:  udp 322

  85: 11:08:44.512851 110.53.148.27.1900 > 50.XXX.XXX.XXX.80:  udp 314

  86: 11:08:44.512897 110.53.148.27.1900 > 50.XXX.XXX.XXX.80:  udp 242

  87: 11:08:44.512912 221.215.155.162.1900 > 50.XXX.XXX.XXX.80:  udp 268

Everyone's tags (1)
1 REPLY
Cisco Employee

Hi,I think the most effective

Hi,

I think the most effective way to prevent this attack would be to block this Destination UDP port on the ISP end itself if this is recurring.

Also , on the ASA device , we can set the per client max limit for this destination server , it should also help you on this issue.

As the destination IP's are different , SHUN might not be that effective.

For more information:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/protect.html#wp1080691

Thanks and Regards,

Vibhor Amrodia

836
Views
0
Helpful
1
Replies
CreatePlease to create content