Some suggestions.
Try to understand what a legitimate traffic would be to/from the server.
Specifically from one, since for standard TCP client/server application
with clients out on the Internet it should be mostly TCP SYNs coming in
to the server and TCP SYN-ACKs and established TCP traffic coming out
from the server. Filter out all initial TCP SYNs maybe with exceptions
of your internal networks.
Is this server behind the NAT and has a private IP address or is it in
some DMZ with public IP?
Also check if the server talks to any other internal systems like DNS
etc, you may wan to keep this traffic unfiltered. The rest of ICMP and
UDP I would filter out.
A good approach is to build a characterized ACL on that server port and
see what traffic is going out. You can also collect some NetFlow data,
takes more time though if your infrastructure is not NetFlow enabled.
If you have an IPS at hand, you can try and put this server port behind
IPS and enable flood signatures.
HTH
A.
On 7/1/2012 11:42 AM, Parvez Ahmad wrote:
Hi,
The source is Compromised server.It is sending the traffic(ICMP,TCP
and UDP flood) towards the public IPs( Online Bots).
ASA is running with the version of 8.3 but do not have bot license.
Regards,
Parvez
On Sun, Jul 1, 2012 at 4:54 AM, Alexei Monastyrnyi
<[email protected] <mailto:[email protected]>> wrote:
Could you identify more precisely what DDoS attack it is? is it
sourced from server real address? If those are spoofed source IP
addresses you could filter on them.
A.
On 7/1/2012 12:10 AM, Parvez Ahmad wrote:
Hi,
A server has been compromised and sending malicious traffic
towards the zombies (DDOS) Attack(Thousands of connection), This
host is behind the ASA.
Due to some constraint, The server can not be unpluged form the
network. It is taking high CPU and RAM of ASA and legitimate
connections getting delay.
Adminstrator run the the below two commands to protect ASA/Drop
the connection.
1. Shun....IP Address of server.
2. Deny ACL(Source- compromised host and destination- ANY)
3. MPF with "Set connection"
Is there any way to protect the ASA infrastucture from this type
of attack?If not, Let us know with method is best among the above
3 options.
Regards,
Parvez
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visitwww.ipexpert.com <http://www.ipexpert.com>
Are you a CCNP or CCIE and looking for a job? Check outwww.PlatinumPlacement.com
<http://www.PlatinumPlacement.com>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
