Blog | G5 Cyber Security

Cisco ASA DOS Attack Logging Control

G5 Cyber Security

TL;DR

Yes, you can suppress logging on a Cisco ASA 5510/5520 during a Denial of Service (DOS) attack to prevent log flooding and maintain device stability. This involves configuring rate limiting for syslog messages and potentially using class maps and policy maps to drop excessive traffic before it’s even logged. However, be aware that suppressing logs means losing valuable forensic information.

Steps

  1. Understand the Problem: DOS attacks generate massive log volumes which can overwhelm the ASA’s CPU, memory and disk space. This can lead to performance degradation or even a crash.
  2. Check Current Logging Configuration: First, see what logging is already enabled. 
    show logging

    Pay attention to the buffer size, destination (syslog server), and facilities being logged.

  3. Rate Limit Syslog Messages: This is the primary method for controlling log volume. Configure a rate limit on the syslog facility used by your ASA. 
    configure terminal
    logging facility syslog rate-limit 500

    This limits syslog messages to 500 per second. Adjust ‘500’ based on your normal traffic levels and the ASA’s capacity. Start conservatively (lower number) and increase if needed.

  4. Identify DOS Attack Traffic: You need to identify the characteristics of the attack traffic to filter it effectively. Common indicators include:
    • Source IP address(es) involved in the attack.
    • Specific ports being targeted.
    • Unusual packet sizes or flags.
    • High connection rates from a single source.

    Use tools like Wireshark, tcpdump, or ASA’s real-time monitoring to analyze the attack traffic.

  5. Create Class Maps: Define class maps to match the DOS attack traffic. 
    configure terminal
    class-map type inspect match-any DOS_Attack_Traffic
    match ip address access-list ACL_DOS_Attack

    Replace ACL_DOS_Attack with an Access Control List (ACL) that defines the attack traffic.

  6. Create Policy Maps: Create a policy map to apply actions to the matched DOS attack traffic. 
    configure terminal
    policy-map type inspect DOS_Attack_Policy
    class DOS_Attack_Traffic
    drop log brief

    The drop log brief command drops the packets and logs a minimal message. You can also use police rate-limit 500 to limit the traffic instead of dropping it, but this still consumes resources.

  7. Apply Policy Map to Interface: Apply the policy map to the interface receiving the attack traffic. 
    configure terminal
    interface GigabitEthernet0/0
    service-policy type inspect DOS_Attack_Policy inbound

    Replace GigabitEthernet0/0 with the appropriate interface.

  8. Monitor and Adjust: After applying the configuration, monitor the ASA’s CPU usage, memory utilization, and log volume.
    • If the attack continues to overwhelm the device, reduce the rate limit further or refine your class map/policy map.
    • If legitimate traffic is being blocked, adjust the ACL in your class map.

    Use commands like show process cpu and show memory statistics to monitor ASA resources.

  9. Consider Access Lists (ACLs): Create a detailed ACL that specifically blocks known malicious IP addresses or traffic patterns. 
    configure terminal
    access-list ACL_DOS_Attack extended deny ip host ATTACKER_IP any eq 80

    Replace ATTACKER_IP with the attacker’s IP address and 80 with the targeted port.

  10. Temporary vs. Permanent Rules: Be cautious about making ACL rules permanent. DOS attacks often use spoofed or rapidly changing source IPs. Implement temporary rules that can be easily removed after the attack subsides.

Important Considerations

Exit mobile version