ASA and FTD : SYN flood (DOS attack) protection

on

 

An attacker can launch a DOS attack by flooding a host with thousands of TCP SYN packets, the source address would be spoofed with no way for the host server to respond, this would create half-open TCP connections on the host consuming resources until the host is overwhelmed and packets are dropped.

On the Cisco ASA you can configure the Modular Policy Framework (MPF) to restrict the number of TCP half-open connections (embryonic-conn-max). When enabled, the MPF policy will intercept the tcp SYN and only forward the connection once the 3-way handshake is complete.

Lab:

1. Create extended ACL for the protected server

     access-list ACL-Protected-Servers extended permit tcp any host 10.1.1.10 eq www


2. Create Class-Map

  class-map CM-Protected-Servers
     match access-list ACL-Protected-Servers


3. Create Policy-Map
    policy-map PM-Outside
      class CM-Protected-Servers
         set connection embryonic-conn-max 40

4. Create service policy for outside interface
      service-policy PM-Outside interface outside


Verification:

Use tool hping3 on Kali:
sudo hping3 -c 10000 -d 120 -S -p 80 --flood --rand-source 203.0.113.10



ASA-916# sh service-policy interface outside

Interface outside:
  Service-policy: PM-Outside
    Class-map: CM-Protected-Servers
      Set connection policy: embryonic-conn-max 40
        current embryonic conns 40, drop 0
ASA-916#
ASA-916#


in ASA log:
Mar 03 2024 10:42:51: %ASA-2-106016: Deny IP spoof from (228.8.220.137) to 203.0.113.10 on interface outside
Mar 03 2024 10:42:51: %ASA-2-106016: Deny IP spoof from (234.131.52.96) to 203.0.113.10 on interface outside
Mar 03 2024 10:42:51: %ASA-2-106016: Deny IP spoof from (234.219.62.86) to 203.0.113.10 on interface outside
Mar 03 2024 10:42:51: %ASA-2-106016: Deny IP spoof from (228.221.7.241) to 203.0.113.10 on interface outside
Mar 03 2024 10:42:51: %ASA-2-106016: Deny IP spoof from (230.181.240.116) to 203.0.113.10 on interface outside
Mar 03 2024 10:42:51: %ASA-2-106016: Deny IP spoof from (230.74.97.183) to 203.0.113.10 on interface outside
Mar 03 2024 10:42:51: %ASA-2-106016: Deny IP spoof from (234.254.102.47) to 203.0.113.10 on interface outside
Mar 03 2024 10:42:51: %ASA-2-106016: Deny IP spoof from (238.86.111.78) to 203.0.113.10 on interface outside
Mar 03 2024 10:42:51: %ASA-2-106016: Deny IP spoof from (225.136.83.145) to 203.0.113.10 on interface outside
Mar 03 2024 10:42:51: %ASA-2-106016: Deny IP spoof from (239.180.22.84) to 203.0.113.10 on interface outside
Mar 03 2024 10:42:51: %ASA-2-106016: Deny IP spoof from (227.70.241.1) to 203.0.113.10 on interface outside
Mar 03 2024 10:42:51: %ASA-2-106016: Deny IP spoof from (225.186.216.179) to 203.0.113.10 on interface outside
Mar 03 2024 10:42:51: %ASA-2-106016: Deny IP spoof from (0.22.73.155) to 203.0.113.10 on interface outside
Mar 03 2024 10:42:51: %ASA-2-106016: Deny IP spoof from (239.102.93.37) to 203.0.113.10 on interface outside
Mar 03 2024 10:42:51: %ASA-2-106016: Deny IP spoof from (227.202.79.9) to 203.0.113.10 on interface outside
Mar 03 2024 10:42:51: %ASA-2-106016: Deny IP spoof from (228.9.149.120) to 203.0.113.10 on interface outside

Anti-spoofing is not enabled on outside interface, explanation of this message:

%PIX|ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on 
interface interface_name.
  1. This message is generated when a packet arrives at the security appliance interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the security appliance interface. In addition, this message is generated when the security appliance discarded a packet with an invalid source address, which can include one of the following or some other invalid address:
    • Loopback network (127.0.0.0)
    • Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
    • The destination host (land.c)
    In order to further enhance spoof packet detection, use the icmp command to configure the security appliance to discard packets with source addresses belonging to the internal network. This is because the access-list command has been deprecated and is no longer guaranteed to work correctly.Recommended Action: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

Reference

https://integratingit.wordpress.com/2018/01/07/prevent-tcp-attacks-on-cisco-asa/

https://www.firewall.cx/tools-tips-reviews/network-protocol-analyzers/performing-tcp-syn-flood-attack-and-detecting-it-with-wireshark.html


FTD:

In FTD, this is configured with Threat Defense Service Policy

1. Define a extended ACL object

2. Configure "Threat Defense Service Policy" in an ACP rule Advanced Settings.




Comments

Post a Comment