Situation:
Attacker attempts to connect Anyconnect, Anyconnect sends authentication to ISE, ISE sends authentication to AD. In ISE logs, there are lots failed Radius requests with non-exist username, AD is overwhelmed, can't process more legitimate AD authentication request. During this attack, ISE normally is not the one get overwhelmed.
Anyconnect user's public IP is in Radius attribute calling-station-ID
Issue:
1. ISE failed authentication suppression seems only for existing user accounts.
2. FTD /ASA Anyconnect doesn't have the ability to filter source IP geo location.
3. FTD Security Intelligence doesn't block IP to AC
4. FTD Prefilter policy doesn't work.
Cisco Enhancement request:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs65322?rfs=iqvred
Solution:
1. "shun" command on FTD/ADA CLI
2. deny attacker's IP in control plane ACL in appendix 1
3. enable anti-spoof on FW AC interface, create null0 route for attacker's IP.
================================
Appendix 1
1. 1. Add FlexConfig Object as below, replace with
real IP and interface name.
2. 2. Configure FlexConfig Poilcy, apply the FlexConfig Object
3. 3. Deploy policy
==========
Appendix 2
1. enable reverse path check
2. Create null0 route for attackers
New Cisco ASA and FTD features block VPN brute-force password attacks
https://www.bleepingcomputer.com/news/security/new-cisco-asa-and-ftd-features-block-vpn-brute-force-password-attacks/
https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html
https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html
ASA:
threat-detection service invalid-vpn-access
threat-detection service remote-access-client-initiations hold-down 10 threshold 20
threat-detection service remote-access-authentication hold-down 10 threshold 20
Comments
Post a Comment