Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Deny inbound UDP flood

We are receiving thousands of "Deny inbound UDP from x.x.x.x/53 to x.x.x.x/2713 due to DNS Response" per minute on our ASA 5510. All of the responses are destined to a signal one of our external IP's. This is overloading the our ASA and preventing traffic getting out to the Internet during these attacks. Anyone have any suggestions as to what we can do to mitigate this problem? Thanks

3 REPLIES

Hi William,if the traffic is

Hi William,

if the traffic is hitting your ASA then there is nothing you can do at that location. Do you have a router which you adminster upstream of it? If so, look at using CAR:

http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-122-mainline/12764-car-rate-limit-icmp.html

 

Failing that, your ISP should be able to assit in either to configure rate limiting to your external address, or block the UDP traffic to it.

 

cheers,

Seb.

Community Member

The Cisco TAC - Engineer we

The Cisco TAC - Engineer we spoke to recommended we allow any any udp port 53 inbound to correct the problem. I don't see how allowing udp port 53 traffic into our network would solve the problem but it with stop the deny messages. Does this sound like a good idea?

If this really is an attack

If this really is an attack then allowing the traffic into your network is not the correct action!

How is the problem manifesting itself? If the outbound link is being saturated with traffic then talk to your ISP

If you think the volume of syslog messages on your ASA is causing a performance problem, then you can configure the message ID to appear at a higher syslog level so that it does not appear at your current logging level. Obviously this would be in effect for all messages of this type so you may not be aware of similar attacks taking place.

Talk to your ISP :)

 

cheers,

Seb.

447
Views
0
Helpful
3
Replies
CreatePlease to create content