Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DDOS attacks?

hello security people, help me to find answer to my security question.

here is the problem: i have cisco 6506 , 48 gig. interfaces and 9 SFP,and one firewall module. one SFP interface is connected to the ISP, and gigethernet to small offices. there is some virus in some computer that blocks my bandwith from ISP. i checked with "sh int gig x/y" that upload is 90Mbs . wow!!! then i decided implement MQC based policing on gigx/y interface. after some minut there was another attack that not just lock my bandwith and also killed my cisco6506. , it was terrible... after 10-15 minut attack is stoped, i check policing with "sh policy-map int gigx/y" and saw that cisco droped 8Gbyt. hey people help to find solution, any suggestion? is there any black-list to block ip address attacker automaticaly?

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: DDOS attacks?

Here are some suggestions:

1) if you have FWSM, use www.fireplotter.com trial version to profile the traffic, then you can use clear local-host command to clear off the sessions from the firewall

2) Use Netflow

http://www.securityfocus.com/infocus/1796

3) Try to update your systems with updated anti-virus defs, and 'detect' the worm-name exactly. Google the remediation procedure for that worm and start your work....

4) Temporarily make your firewall policy HTTP + necessary ports only (if it was not permit any any before).

Regards

Farrukh

Re: DDOS attacks?

No there is no such thing on the ASA to my knowledge. Maybe on the CSC module for anti-spam etc. but no on the ASA itself.

Regards

Farrukh

6 REPLIES

Re: DDOS attacks?

Here are some suggestions:

1) if you have FWSM, use www.fireplotter.com trial version to profile the traffic, then you can use clear local-host command to clear off the sessions from the firewall

2) Use Netflow

http://www.securityfocus.com/infocus/1796

3) Try to update your systems with updated anti-virus defs, and 'detect' the worm-name exactly. Google the remediation procedure for that worm and start your work....

4) Temporarily make your firewall policy HTTP + necessary ports only (if it was not permit any any before).

Regards

Farrukh

New Member

Re: DDOS attacks?

xm... i found that virus, there were 5 infected computers. but it is posible the system can infect again and again because i have not any access to user computers.

can firewall block that attacks itself? is there any feature like black-list?

Re: DDOS attacks?

well you can implement the black-list (if you know the rogue IPs) using a simple access-list.

Regards

Farrukh

New Member

Re: DDOS attacks?

i know it man. i ask about automatic black-lists.

Re: DDOS attacks?

No there is no such thing on the ASA to my knowledge. Maybe on the CSC module for anti-spam etc. but no on the ASA itself.

Regards

Farrukh

New Member

Re: DDOS attacks?

You could configure threat detection and have the ASA automatically shun the IP based on thresholds...

207
Views
0
Helpful
6
Replies