PaulDotCom mailing list archives
DDOS
From: Russell.Butturini at Healthways.com (Butturini, Russell)
Date: Wed, 21 Apr 2010 09:29:41 -0500
Sure, if you tweak and configure them right. You can really do a lot to protect the CPU of your firewall with modular policy framework and embryonic connection limits on the ASA. TCP intercept and SYN cookies are old school though. The technologies available through modular policy framework and others on the ASA and 12.4 IOS train now are SOOOOOO much better. Do you have control of the perimeter router? You can always use policy based routing to the null interface, modular QoS, and other features to protect the firewall as well if you do. I can help more specifically with your setup off list if you like. I have TONS of ASAs and other cisco gear I manage. As far as a solution off the firewall, The Cisco Anomaly Guard is AWESOME for this kind of thing but it's big $$$$, as I think most products in this space are. You're better off to try your software based controls first. ________________________________ From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Geoff Shukin Sent: Wednesday, April 21, 2010 9:06 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] DDOS It is a Cisco ASA. I am aware of the settings on these firewalls but do they really solve the issue? I was thinking that protecting the firewall (ASA or others) from a DDoS would really be something that should happen upstream and/or downstream from the firewall itself. TCP Intercept/SYN Cookies" do not protect the firewall, it's a feature for protecting a device from being flooded by embryonic connections. The firewall brokers the connection on behalf of the device that a session is attempting to be established with. Once the 3-way-handshake completes, the firewall then stitches the session together between the initiator/receiver and data is then allowed to pass. If the 3-way-handshake fails to complete within N-time, then the session is dropped. Good for preventing SYN floods from the end devices but bad for the overall firewall health? I was interested in learning more about what others are doing along the lines of hardening, etc. I try to always ensure that the firewall is configured to allow SSH access to only known trusted sources, restrict what log messages are sent to the syslog server, restrict SNMP to trusted NMS devices, limit use of the "application layer protocol inspection" to business required deep-packet-inspection engines and of course the impact of the app-inspection would be dependent on the traffic profile of the DDOS. There is only so much that can be done on other devices upstream/downstream that can "enforce policies by filtering" and only allow X-traffic either *to* or *through* the firewall. Yet someone with enough resources seems to be able to effectively kill the firewall and disable the services behind it. Are there other mitigation mechanisms that I should be exploring both on the firewall or perhaps on the screening routers or am I really looking for another appliance that sits inline upstream from the firewall? Thanks Geoff On Wed, Apr 21, 2010 at 6:20 AM, Butturini, Russell <Russell.Butturini at healthways.com<mailto:Russell.Butturini at healthways.com>> wrote: What kind of firewall is it? Many vendors have controls such as embryonic connection limits and some QoS policing that can prevent this sort of thing. We have a web presence of around 350 sites and using these techniques has mitigated most of our issues. ________________________________ From: pauldotcom-bounces at mail.pauldotcom.com<mailto:pauldotcom-bounces at mail.pauldotcom.com> [mailto:pauldotcom-bounces at mail.pauldotcom.com<mailto:pauldotcom-bounces at mail.pauldotcom.com>] On Behalf Of Geoff Shukin Sent: Tuesday, April 20, 2010 4:37 PM To: Pauldotcom at mail.pauldotcom.com<mailto:Pauldotcom at mail.pauldotcom.com> Subject: [Pauldotcom] DDOS Hi! I am curious to know what folks are doing to combat the issue of DDOS attacks. I have heard about solutions from Arbor and TopLayer but wonder if they are effective. Are there any other suggestions out there in PaulDotCom land? We have seen DDOS attacks against one of our websites (using a combination of ICMP, TCP SYN and UDP flood attacks). Firewall stops the attacks in that the web servers are ok but the firewall falls over with 100% CPU. Thanks Geoff ****************************************************************************** This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than the named recipient of this email, and is to be used only for the intended purpose of this communication. ****************************************************************************** _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com<mailto:Pauldotcom at mail.pauldotcom.com> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com ****************************************************************************** This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than the named recipient of this email, and is to be used only for the intended purpose of this communication. ****************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100421/e6fa721e/attachment.htm