DDOS

[Russell.Butturini at Healthways.com (Butturini, Russell)]

Sure, if you tweak and configure them right.  You can really do a lot to protect the CPU of your firewall with modular 
policy framework and embryonic connection limits on the ASA.  TCP intercept and SYN cookies are old school though.  The 
technologies available through modular policy framework and others on the ASA and 12.4 IOS train now are SOOOOOO much 
better.  Do you have control of the perimeter router? You can always use policy based routing to the null interface, 
modular QoS, and other features to protect the firewall as well if you do.  I can help more specifically with your 
setup off list if you like.  I have TONS of ASAs and other cisco gear I manage.

As far as a solution off the firewall, The Cisco Anomaly Guard  is AWESOME for this kind of thing but it's big $$$$, as 
I think most products in this space are.  You're better off to try your software based controls first.


________________________________
From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Geoff 
Shukin
Sent: Wednesday, April 21, 2010 9:06 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] DDOS

It is a Cisco ASA.  I am aware of the settings on these firewalls but do they really solve the issue?  I was thinking 
that protecting the firewall (ASA or others) from a DDoS would really be something that should happen upstream and/or 
downstream from the firewall itself.  TCP Intercept/SYN Cookies" do not protect the firewall, it's a feature for 
protecting a device from being flooded by embryonic connections.  The firewall brokers the connection on behalf of the 
device that a session is attempting to be established with.  Once the 3-way-handshake completes, the firewall then 
stitches the session together between the initiator/receiver and data is then allowed to pass.  If the 3-way-handshake 
fails to complete within N-time, then the session is dropped.  Good for preventing SYN floods from the end devices but 
bad for the overall firewall health?

I was interested in learning more about what others are doing along the lines of hardening, etc.  I try to always 
ensure that the firewall is configured to allow SSH access to only known trusted sources, restrict what log messages 
are sent to the syslog server, restrict SNMP to trusted NMS devices, limit use of the "application layer protocol 
inspection" to business required deep-packet-inspection engines and of course the impact of the app-inspection would be 
dependent on the traffic profile of the DDOS.  There is only so much that can be done on other devices 
upstream/downstream that can "enforce policies by filtering" and only allow X-traffic either *to* or *through* the 
firewall.  Yet someone with enough resources seems to be able to effectively kill the firewall and disable the services 
behind it.

Are there other mitigation mechanisms that I should be exploring both on the firewall or perhaps on the screening 
routers or am I really looking for another appliance that sits inline upstream from the firewall?

Thanks

Geoff


On Wed, Apr 21, 2010 at 6:20 AM, Butturini, Russell <Russell.Butturini at healthways.com<mailto:Russell.Butturini at 
healthways.com>> wrote:
What kind of firewall is it? Many vendors have controls such as embryonic connection limits and some QoS policing that 
can prevent this sort of thing.  We have a web presence of around 350 sites and using these techniques has mitigated 
most of our issues.

________________________________
From: pauldotcom-bounces at mail.pauldotcom.com<mailto:pauldotcom-bounces at mail.pauldotcom.com> 
[mailto:pauldotcom-bounces at mail.pauldotcom.com<mailto:pauldotcom-bounces at mail.pauldotcom.com>] On Behalf Of Geoff 
Shukin
Sent: Tuesday, April 20, 2010 4:37 PM
To: Pauldotcom at mail.pauldotcom.com<mailto:Pauldotcom at mail.pauldotcom.com>
Subject: [Pauldotcom] DDOS

Hi!

I am curious to know what folks are doing to combat the issue of DDOS attacks.  I have heard about solutions from Arbor 
and TopLayer but wonder if they are effective.  Are there any other suggestions out there in PaulDotCom land?

We have seen DDOS attacks against one of our websites (using a combination of ICMP, TCP SYN and UDP flood attacks). 
Firewall stops the attacks in that the web servers are ok but the firewall falls over with 100% CPU.

Thanks

Geoff

******************************************************************************

This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than 
the named recipient of this email,

and is to be used only for the intended purpose of this communication.

******************************************************************************

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com<mailto:Pauldotcom at mail.pauldotcom.com>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


******************************************************************************
This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than 
the named recipient of this email, 
and is to be used only for the intended purpose of this communication.
******************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100421/e6fa721e/attachment.htm