Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
325
Views
0
Helpful
2
Replies

Port 53 DOS on 5505

Go to solution
mmedwid
Level 3
Level 3

‎07-12-2013 06:50 AM - edited ‎03-11-2019 07:11 PM

A friend has an ASA 5505 that is getting DOS'd primarily from a couple of IPs at port 53.

The effect appears to be that the 5505 rebooted itself.  For the short term I told him to

turn off the logging for that rule thinking that perhaps the massive amount of logging for

all that deny activity is what caused the reboot.  And I suggested to put in specific deny

rules for the attacking IPs with no logging.  Are there other action that would help

deal with this kind of attack?  Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎07-12-2013 10:58 AM

Hello,

Tell your friend that you could configure some DDOS prevention actions on the firewall via the Modular Policy Framework (Timeouts, maximum amount of connections to a host or per-host, etc) but the real deal will be to go to the ISP and let them know what is going on... You want them to block that traffic at their circuit...

Why is that?

Because even if you block that traffic on your ASA, it already has taken bandwith that real and legitimate traffic might want to use it, Do you see the real problem here?

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎07-12-2013 10:58 AM

Hello,

Tell your friend that you could configure some DDOS prevention actions on the firewall via the Modular Policy Framework (Timeouts, maximum amount of connections to a host or per-host, etc) but the real deal will be to go to the ISP and let them know what is going on... You want them to block that traffic at their circuit...

Why is that?

Because even if you block that traffic on your ASA, it already has taken bandwith that real and legitimate traffic might want to use it, Do you see the real problem here?

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mmedwid
Level 3
Level 3
In response to Julio Carvajal

‎07-12-2013 01:07 PM

Thanks much Julio!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card