Re: UDP Flooding Security on Cisco ASA

If the "attack tool" is spoofing the origin IP, there's litle that the
FW can do other than apply profiling on the whole UDP, hardly an option
IMHO.

If all the incoming packets come from a single IP, then some "attacker
recognition" can be done. ASAs implement that for TCP but I don't think
they translated this mech to use "UDP connections".

If your intent is to protect traffic across other interfaces, rate
limiting the external interface could limit the attack impact. I konw
the ASA does implement rate limiting, but never tried using them.

HTH,
-Carlos

Gilles Fabre @ 31/08/2012 04:33 -0300 dixit:
> Thanks for your reply Ryan
> My test was on a ASA 5520... but my goal is not to compare firewalls here
>
> My question was more on how to secure the network globally so that
> B - either the firewall can react to the attack (for example shuting the link
> to the attacker so the other zones are not impacted)
> B - or secure the network elsewhere in order to avoid these simple attack
> having an impact on the network (what is best method/design?)
>
> Hope this is clear enough
>
> thanks
> Gilles
>
>> Message du 30/08/12 C 17h01
>> De : "Ryan West"
>> A : "Gilles Fabre" , "Cisco certification"
>> Copie C :
>> Objet : RE: UDP Flooding Security on Cisco ASA
>>
>> On Thu, Aug 30, 2012 at 10:54:55, Gilles Fabre wrote:
>>> Subject: UDP Flooding Security on Cisco ASA
>>>
>>> Hi all
>>>
>>> B I am more a Routing&Switching than Security guy (note there is not
>>> any CCIE# below my name...) so I would appreciate your opinions on a
>>> security topic.
>>>
>>> B I used a simple Linux laptop to test UDP flooding destined to a ASA
>>> firewall IP address :
>>> B I used the command "hping3 --flood --data 2 --udp " to flood with
>>> 2-byte UDP packet to the FW B After doing that, my fw cpu was close to
>>> 100% & packets began to be dropped between hosts on other interfaces.
>>>
>>> B I tried to find how to change configuration to prevent this & tried
>>> configuring "set connection", "ip audit" or "threat-detection" based
>>> command but without success.
>>>
>>>
>>> B I tried the same on a Juniper SSG140 device today & I see it can
>>> detect this kind of attack
>>>
>>> SSG140-> get counter screen zone DMZ
>>> Screen counter on zone DMZ
>>> ICMP flood
>>> protectionB B B B B B B B B B B B B B B B B B B B B B B B B B B B B B
>>> B B B B B B B B B 0 UDP flood protectionB B B B B B B B B B B B B B
>>> B B B B B B B B B B B B B B B B B B B B
>>> 7746144
>>> B however, packet processing is impacted as well.
>>>
>>>
>>
>> Did you run a 'show asp drop'? You can also do captures on the asp drop to
> get more detail. As far as the two platforms go, are you comparing apples to
> apples? The SSG140 is about par with 5540 based on specs.
>>
>> -ryan
>>
>
> ___________________________________________________________
> Quand Jean-Luc Delarue parlait de son grand amourb& C lire sur Voila.fr
> http://people.voila.fr/people/actu-stars/personnalites/quand-jean-luc-delarue
> -parlait-d-anissa-kehl-son-grand-amour-people_8397.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

-- 
Carlos G Mendioroz  <tron_at_huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net