RE: UDP Flooding Security on Cisco ASA from Gilles Fabre on 2012-08-31 (Ccielab archives 08/2012)

From: Gilles Fabre <fabre.gilles_at_voila.fr>
Date: Fri, 31 Aug 2012 09:33:52 +0200 (CEST)

Thanks for your reply Ryan
My test was on a ASA 5520... but my goal is not to compare firewalls here

My question was more on how to secure the network globally so that
B - either the firewall can react to the attack (for example shuting the link
to the attacker so the other zones are not impacted)
B - or secure the network elsewhere in order to avoid these simple attack
having an impact on the network (what is best method/design?)

Hope this is clear enough

thanks
Gilles

> Message du 30/08/12 C 17h01
> De : "Ryan West"
> A : "Gilles Fabre" , "Cisco certification"
> Copie C :
> Objet : RE: UDP Flooding Security on Cisco ASA
>
> On Thu, Aug 30, 2012 at 10:54:55, Gilles Fabre wrote:
> > Subject: UDP Flooding Security on Cisco ASA
> >
> > Hi all
> >
> > B I am more a Routing&Switching than Security guy (note there is not
> > any CCIE# below my name...) so I would appreciate your opinions on a
> > security topic.
> >
> > B I used a simple Linux laptop to test UDP flooding destined to a ASA
> > firewall IP address :
> > B I used the command "hping3 --flood --data 2 --udp " to flood with
> > 2-byte UDP packet to the FW B After doing that, my fw cpu was close to
> > 100% & packets began to be dropped between hosts on other interfaces.
> >
> > B I tried to find how to change configuration to prevent this & tried
> > configuring "set connection", "ip audit" or "threat-detection" based
> > command but without success.
> >
> >
> > B I tried the same on a Juniper SSG140 device today & I see it can
> > detect this kind of attack
> >
> > SSG140-> get counter screen zone DMZ
> > Screen counter on zone DMZ
> > ICMP flood
> > protectionB B B B B B B B B B B B B B B B B B B B B B B B B B B B B B
> > B B B B B B B B B 0 UDP flood protectionB B B B B B B B B B B B B B
> > B B B B B B B B B B B B B B B B B B B B
> > 7746144
> > B however, packet processing is impacted as well.
> >
> >
>
> Did you run a 'show asp drop'? You can also do captures on the asp drop to
get more detail. As far as the two platforms go, are you comparing apples to
apples? The SSG140 is about par with 5540 based on specs.
>
> -ryan
>
Received on Fri Aug 31 2012 - 09:33:52 ART

This archive was generated by hypermail 2.2.0 : Sat Sep 01 2012 - 08:41:18 ART