If it's not in the context of CCIE Security then I'd add botnet filter to ASA but that will start only from 8.2 code. Otherwise if the mentioned server couldn't be unplugged but the traffic from it should be stopped ACL or shun is the quick and efficient answer. Threat detection IMHO will only help to detect the abnormal activity by sending a particular syslog message. There's no way to protect from the said attacks with threat detection. Additionally if we know the type/pattern of malicious traffic and it falls into the ASA built-in IPS signatures categories we can configure drop action to attack signature.
Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Parvez Ahmad Sent: Saturday, June 30, 2012 7:11 AM To: [email protected] Subject: [OSL | CCIE_Security] DDOS Attack Hi, A server has been compromised and sending malicious traffic towards the zombies (DDOS) Attack(Thousands of connection), This host is behind the ASA. Due to some constraint, The server can not be unpluged form the network. It is taking high CPU and RAM of ASA and legitimate connections getting delay. Adminstrator run the the below two commands to protect ASA/Drop the connection. 1. Shun....IP Address of server. 2. Deny ACL(Source- compromised host and destination- ANY) 3. MPF with "Set connection" Is there any way to protect the ASA infrastucture from this type of attack?If not, Let us know with method is best among the above 3 options. Regards, Parvez
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
