how to diagnose and mitigate a simple DOS attack on an ASA 5505 running 9.1(2)
ASA5515-X# show conn detail
35 in use, 199 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed,
C - CTIQBE media, c - cluster centralized,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
X - inspected by service module,
x - per session, Y - director stub flow, y - backup stub flow,
Z - Scansafe redirection, z - forwarding stub flow
asa# show memory
asa# show cpu
asa(config)#logging enable
asa(config)#logging host inside 10.3.6.50
asa(config)#logging buffered debug
asa(config)#logging bufer-size 1000000
asa(config)#show connection
asa(config)#show count
asa(config)#clear connect
asa(config)#show log
TCP connection 102679 for outside:47.111.202.242/53257 to inside:10.3.6.50/80 duration 0:00:30
bytes 0 SYN Timeout
How to Prevent TCP Syn-Flood Attacks
asa(config)#show connection
asa(config)#show count
STOP SYN-FLOOD ATTACKS AFTER 5 TIMES REQUEST SYN
Application Inspection Trouble
THE PACKET CAPTURE
Let's begin the setup by configuring an interface on the ASA which will connect directly to our
PC. We'll assign the interface a security level of 100 to ensure the firewall doesn't block any
traffic incoming from the PC.
conf t
!
interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 10.0.0.1 255.255.255.252
no shut
exit
!
endPC-1> ip 10.0.0.2/30 10.0.0.1
Checking for duplicate address...
PC1 : 10.0.0.2 255.255.255.252 gateway 10.0.0.1capture pc-traffic interface INSIDE match ip any anyAfter another ICMP execution from the PC, we can check the captured traffic with the
show capture command.ciscoasa# show capture pc-traffic
6 packets captured
1: 23:23:46.920286 10.0.0.2 > 10.0.0.1 icmp: echo request
2: 23:23:46.920454 10.0.0.1 > 10.0.0.2 icmp: echo reply
3: 23:23:47.922346 10.0.0.2 > 10.0.0.1 icmp: echo request
4: 23:23:47.922452 10.0.0.1 > 10.0.0.2 icmp: echo reply
5: 23:23:48.923826 10.0.0.2 > 10.0.0.1 icmp: echo request
6: 23:23:48.924039 10.0.0.1 > 10.0.0.2 icmp: echo reply
6 packetsciscoasa# show capturepc-traffic packet 3 detailsciscoasa# show capturepc-traffic packet 3 dump
ciscoasa# show capture
capture pc-traffic type raw-data interface INSIDE [Capturing - 456 bytes]
match ip any anyLet's now halt our running capture - it's important to carry out this step at the end of each session to conserve system resources.
no capture pc-traffic interface INSIDEHOW TO USE CAPTURE FILTERS
capture pc-traffic-ssh interface INSIDE match tcp any any eq 22HOW TO SAVE A PACKET CAPTURE
Simply set up a TFTP/SCP server or plug in a USB and move the captured file using the standard Cisco
copy command. We'll show an example below for a TFTP server.copy /pcap capture:pc-traffic-ssh tftp://<server-ip-address>HOW TO FILTRE A PACKET CAPTURE
capture pc-traffic interface INSIDE match ip any anyasa# show cap pc-traffic | grep 7HOW service-policy inspect protocols
PACKET NUMBER 12 drops BY SERVICES-POLICY access-list Skinny-ACl becaus port is it 2000.
when we change port to eq 2000 packet with port 80 pass in packet number 4 as P:Push
No comments:
Post a Comment