[c-nsp] ASA questions
Mike Butash
der.mikus at gmail.com
Thu Jul 3 13:03:20 EDT 2008
If it's a major DoS or DDoS, look at the Cisco Anomaly
Detection/Mitigation appliances they borg'd from Riverhead a few years
ago. When we began undergoing nightly DDoS's from millions of sources
of several hundred meg and up to several gigs, they were a godsend to
actually allow us to combat attacks effectively. They have their
quirks, but they also work wonders for removing illegitimate traffic off
the network. Maybe also recommend Prolexic.com services... Might be
cheaper in the long run, and they are quite effective in doing about the
same service the anomaly mitigation appliances provide.
ASA's will allow for some basic protection as Peter stated, but they
won't do much for intelligent attacks, which most botnets allow for
push-button nuking of any network with somewhat decently emulated floods
of traffic. Once you can dump out the flood of crap thrown at you, an
average 5520 or whatever your "normal" traffic requires will suffice.
-mb
Peter Rathlev wrote:
> Hi Skeeve,
>
> On Thu, 2008-07-03 at 20:38 +1000, Skeeve Stevens wrote:
>> I am looking for an ASA with the primary use being to stop DDoS attacks
>> which one of my customers is getting slammed with.
>>
>> Need at least a couple of hundred meg throughput.. Preferably in transparent
>> mode.
>>
>> Couple of questions:
>> - Is an SSM needed to do DoS protection?
>
> The ASA code can protect against things like SYN flood (embryonic and
> half-open connection limits) and you can do rate limiting. If you need
> more advanced (e.g. signature based) protection, you'd need something
> like the AIP-SSM. But the ASA does a good job on it's own.
>
>> - The 5550 can't take an SSM?
>
> No, the 5550 can't take an SSM, since the slot is already taken by a 4
> port GigabitEthernet module, which cannot be removed.
>
>> - Is the transparent protection functional in dot1q VLAN's? (If I want
>> to run multiple carriers into a switch then into the ASA and back out)
>
> Yes, you can run multiple transparent firewall interface pairs,
> filtering each pair seperately, if that is what you mean.
>
> Regards,
> Peter
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list