Friday, September 25, 2020

ASA being targeted

We have an ASA 5512 that seems to be under attack frequently, we monitor memory and CPU but nothing out of the ordinary, it's just that from time to time the device is flooded with TCP packets from various sources.

The only thing we can do is to reboot the device which now happens every month, since it is located in a DC, we have to pay 250$ for an engineer to do it for us.

I would like to get some pointers as to what to do, the device is used as a VPN concentrator and also as a FW in front of a file server (not published publicly, only accessible from our LAN segment).

I have looked online on DDOS protection settings but I can only find TCP Sync settings and it seems to protect servers that are published more than the ASA itself

class-map tcp_syn match port tcp eq 80 exit policy-map tcpmap class tcp_syn set connection conn-max 100 set connection embryonic-conn-max 200 set connection per-client-embryonic-max 10 set connection per-client-max 5 set connection random-sequence-number enable set connection timeout embryonic 0:0:45 set connection timeout half-closed 0:25:0 set connection timeout tcp 2:0:0 exit exit service-policy tcpmap global 

Should we look at a CloudFlare type of services or are there other first response things we can do?



No comments:

Post a Comment