I am currently getting DoS/DDoS on my asa 5520 , the attacker is hitting IP's that are not even open on any port. The attack is filling up the queues on the firewall which is at 99% CPU during the attack. here's the NetFlow info that I was able to get from my ISP ( since I dont have a Router to do that ).
Any help or suggestions are welcome :-
ip-source-address* ip-destination-address* flows octets packets
0.0.0.0 69.x.x0.183 199 2211668224 48079744
0.0.0.0 74.x.x.168 58 562048 7936
0.0.0.0 74.x.x.221 48 447360 6400
0.0.0.0 74.x.x.244 10 197120 1280
0.0.0.0 69.x.x.186 5 189056 640
ip-source-address* ip-destination-address* flows octets packets duration
126.96.36.199 74.x.x.82 1 7168 128 8000
188.8.131.52 74.x.x.82 1 7168 128 8832
184.108.40.206 74.x.x.82 1 7168 128 0
220.127.116.11 74.x.x.82 1 7168 128 64
18.104.22.168 74.x.x.82 1 7168 128 4160
22.214.171.124 74.x.x.82 1 7168 128 0
126.96.36.199 74.x.x.82 1 7168 128 0
188.8.131.52 74.x.x.82 1 7168 128 0
184.108.40.206 74.x.x.82 1 7168 128 0
220.127.116.11 74.x.x.82 1 6912 128 448
18.104.22.168 74.x.x.82 1 5888 128 0
22.214.171.124 74.x.x.82 1 5888 128 0
Check if the below links helps resolving the issue...
Thanks MV , I have tried that , infact the IP that is under attack is not even open the Firewall accesslist. Its just the amount of traffic that is overwhelming my 5520 right now which starts to Tail drop packets its unable to process.
This is interesting. I believe, Unless a flow/connection open thru which the hacker able to reach the respurces, it is hard to surge ASA processes to 99% . I have no doubt on your findings, but are you sure this is what is causing your ASA CPU to 99%? You may need to look into IPS solution or reachout to IPs (you observed in logs) provider and report an abuse. Lets see if experts/Cisco gurus suggests any other solution.
I totally agree with mvsheik123 do u have a lengthy outside acl? I would say check what process is consuming the CPU and based on that we will see what can b done!
Yes, I was as surpriced as you guys are. I am running 8.2(0) and have 36 lines in the access list on the outside interface.
Yesterday when I got slammed on the Domain it was from all over the world , I signed up for an expensive DDoS protection server and survied, today the guy/guys just used a Source IP of 0.0.0.0 and attacked the Next possible IP in my Range which is not open on any port in my Firewall. Filled up the Interface queue on the FW and everything else started to Tail Drop. he is using multiple flows of big packets with 128 packets per IP.
I asked my ISP to block 0.0.0.0/32 but he was scared to do that fearing it will do something to their Default route etc. anyways, I managed to Null my own IPs survive for right now till attacker changes the IP again.
I am working on some other non-tech to avoid this person but was wondering how you guys safe guard again these issues. I mean i would most likely redesign Datacenter if need with better equipment like using cisco Guard etc if that the industry Norm.
Thanks for all your help.
Your ISP can safely deny any requests originated with source 0.0.0.0 to your subnet on their router interface pointing to your handoff/infra. I don't see any issue with that. Incase if ISP do not want to make any changes- IPS may be your option. You can also try basic security configs on ASA- 8.0 has 'ip verify reversepath interface' & ip audit (basic IPS) options available. Once again, the traffic still needs to hit ASA for inspection. As i mentioned in my first reply- lets see if any experts shed some light on this kind of scenario. Hopefully, we learn some good security practices that we are not aware of .
Remember, the packets still need to be processed in the session management, even if they're denied. In this case, the number of ACL lookups that the firewall has to perform is causing the CPU to spike. There's little you can do on the ASA in this scenario since the source IPs are spoofed. As mentioned above, your ISP should be able to do something about routing packets with a 0.0.0.0 address (which i would imagine they should already be doing) if that is the only source.
Thank you Mv & Patrick,
I was able to convince the ISP to block 0.0.0.0/32 and got Ddos protection for the time being. But I was wondering if anyone of you used the Cisco Guard ( or even the Guard Card in chasis based devices like 6509 etc ).
I have to build a new network for a small startup and they cant afford to be taken down by their Competitors using Botnet Traffic etc. Any suggestions are welcome.