Cisco ASA 5505: Blocking a DDoS Attack

TL;DR

Yes, a Cisco ASA 5505 can mitigate some types of Distributed Denial-of-Service (DDoS) attacks, but its capabilities are limited compared to dedicated DDoS protection appliances. This guide focuses on using the ASA’s built-in features – Access Control Lists (ACLs), Connection Limiting, and Intrusion Prevention System (IPS) signatures – to reduce the impact of common DDoS attacks.

Blocking a DDoS Attack with Cisco ASA 5505

1. Understand the Attack
• Identify the attack type. Common types include:
  • UDP Floods: A large volume of UDP packets are sent to random ports on your network.
  • SYN Floods: The attacker sends a flood of SYN requests but doesn’t complete the handshake, exhausting server resources.
  • ICMP Floods (Ping Floods): A large number of ICMP echo requests are sent.
• Determine the source IP addresses. If it’s a distributed attack, there will be many sources.
2. Access Control Lists (ACLs) – Blocking Known Bad IPs

If you can identify specific malicious IP addresses, block them using ACLs.

access-list outside_in extended deny ip host  any

interface GigabitEthernet0/0

 access-group outside_in in 

• Replace `` with the actual IP address.
• Apply the ACL to the interface facing the internet (usually ‘outside’).
• Caution: Blocking individual IPs is only effective for small, targeted attacks. It’s not scalable for large DDoS attacks.
3. Connection Limiting – Rate Limiting Connections

Limit the number of connections allowed from a single IP address to protect against SYN floods and other connection-based attacks.

class-map type inspect match-any SYN_FLOOD

 match protocol tcp eq syn

policy-map type inspect outside_in class SYN_FLOOD

 drop 

service-policy type inspect outside_in class SYN_FLOOD

• This example drops all SYN packets. Adjust the class map and policy map to suit your needs (e.g., limit connections instead of dropping them).
• Monitor CPU usage after applying this policy; excessive rate limiting can impact legitimate traffic.
4. Intrusion Prevention System (IPS) – Using Signatures

Enable IPS signatures to detect and block known DDoS attack patterns.

• Navigate to Configuration > Firewall > Intrusion Prevention > Signatures.
• Enable relevant signatures under categories like ‘DoS’ or specific attack types (e.g., ‘UDP Flood’, ‘SYN Flood’).
• Be careful when enabling IPS signatures, as some may generate false positives and block legitimate traffic. Start with a limited set of signatures and monitor the logs closely.
5. Monitor ASA Resources

Continuously monitor CPU usage, memory utilization, and interface bandwidth to assess the attack’s impact.

• Use the ASA’s CLI commands:
  • show cpu usage
  • show memory statistics
  • show interface GigabitEthernet0/0 (replace with your interface)
6. Consider Cloud-Based DDoS Protection

The ASA 5505 has limited capacity. For large or sophisticated attacks, consider using a cloud-based DDoS protection service that can absorb and mitigate the attack before it reaches your network.