Hi all
B I am more a Routing&Switching than Security guy (note there is not any CCIE#
below my name...) so I would appreciate your opinions on a security topic.
B I used a simple Linux laptop to test UDP flooding destined to a ASA firewall
IP address :
B I used the command "hping3 --flood --data 2 --udp " to flood with 2-byte UDP
packet to the FW
B After doing that, my fw cpu was close to 100% & packets began to be dropped
between hosts on other interfaces.
B I tried to find how to change configuration to prevent this & tried
configuring "set connection", "ip audit" or "threat-detection" based command
but without success.
B I tried the same on a Juniper SSG140 device today & I see it can detect this
kind of attack
SSG140-> get counter screen zone DMZ
Screen counter on zone DMZ
ICMP flood
protectionB B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B
B B B B B 0
UDP flood
protectionB B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B
7746144
B however, packet processing is impacted as well.
B I asked the TAC & they said that ASA, being a security device, need to
analyse every packet which makes it run over cpu.
B They advice to put a router in the middle to prevent this behaviour
B I guess layer-2 protection (using storm control) could be another answer.
B Would you have any other idea/experience/explanation/comments/clue for it ?
B
Thanks in advance !
Best regards,
Gilles.
Received on Thu Aug 30 2012 - 16:54:55 ART
This archive was generated by hypermail 2.2.0 : Sat Sep 01 2012 - 08:41:18 ART