TL;DR
Yes, a Cisco ASA 5505 can mitigate some types of Distributed Denial-of-Service (DDoS) attacks, but its capabilities are limited compared to dedicated DDoS protection appliances. This guide focuses on using the ASA’s built-in features – Access Control Lists (ACLs), Connection Limiting, and Intrusion Prevention System (IPS) signatures – to reduce the impact of common DDoS attacks.
Blocking a DDoS Attack with Cisco ASA 5505
- Understand the Attack
- Identify the attack type. Common types include:
- UDP Floods: A large volume of UDP packets are sent to random ports on your network.
- SYN Floods: The attacker sends a flood of SYN requests but doesn’t complete the handshake, exhausting server resources.
- ICMP Floods (Ping Floods): A large number of ICMP echo requests are sent.
- Determine the source IP addresses. If it’s a distributed attack, there will be many sources.
- Access Control Lists (ACLs) – Blocking Known Bad IPs
- Replace `
` with the actual IP address. - Apply the ACL to the interface facing the internet (usually ‘outside’).
- Caution: Blocking individual IPs is only effective for small, targeted attacks. It’s not scalable for large DDoS attacks.
- Connection Limiting – Rate Limiting Connections
- This example drops all SYN packets. Adjust the class map and policy map to suit your needs (e.g., limit connections instead of dropping them).
- Monitor CPU usage after applying this policy; excessive rate limiting can impact legitimate traffic.
- Intrusion Prevention System (IPS) – Using Signatures
- Navigate to Configuration > Firewall > Intrusion Prevention > Signatures.
- Enable relevant signatures under categories like ‘DoS’ or specific attack types (e.g., ‘UDP Flood’, ‘SYN Flood’).
- Be careful when enabling IPS signatures, as some may generate false positives and block legitimate traffic. Start with a limited set of signatures and monitor the logs closely.
- Monitor ASA Resources
- Use the ASA’s CLI commands:
show cpu usageshow memory statisticsshow interface GigabitEthernet0/0(replace with your interface)
- Consider Cloud-Based DDoS Protection
If you can identify specific malicious IP addresses, block them using ACLs.
access-list outside_in extended deny ip host any interface GigabitEthernet0/0 access-group outside_in in Limit the number of connections allowed from a single IP address to protect against SYN floods and other connection-based attacks.
class-map type inspect match-any SYN_FLOOD match protocol tcp eq synpolicy-map type inspect outside_in class SYN_FLOOD drop service-policy type inspect outside_in class SYN_FLOODEnable IPS signatures to detect and block known DDoS attack patterns.
Continuously monitor CPU usage, memory utilization, and interface bandwidth to assess the attack’s impact.
The ASA 5505 has limited capacity. For large or sophisticated attacks, consider using a cloud-based DDoS protection service that can absorb and mitigate the attack before it reaches your network.