Networks Training

How to block HTTP DDoS Attack with Cisco ASA Firewall

Denial of Service attacks (DoS) are very common these days. Especially Distributed DoS attacks (called also DDoS) can be executed quite easily by attackers who own large networks of BotNets. Thousands of malware-infected computers (which comprise the so called “BotNets”) are controlled by attackers and can be instructed to start attacks at any target.

Usually WebSites are targeted more frequently. Bringing down a website can have a negative effect to the image (in addition to any financial loss) of the company owing the site. A DDoS attack can be purely “volumetric”, which means that the attacker just sends high volume of packets as quickly as possible to flood the bandwidth of the “pipe” connecting the website to the Internet. Also, DDoS attacks can be “Application Resource Exhaustion” which means that the attacking computers create thousands of application requests (e.g HTTP Requests) to a server, thus consuming the application resources.

A Cisco ASA Firewall can not help much in a “volumetric” DDoS attack. In such an attack, a dedicated DDoS device is needed or your ISP must do some kind of rate limiting to mitigate the attack. However, for “Application Exhaustion” attacks a Cisco ASA can help to some extend with HTTP inspection using the Modular Policy Framework mechanism of ASA. This is what we are going to describe in this article.

MORE READING:  Cisco ASA 5510

Usually, HTTP Application DDoS attacks have a pattern or string which helps you distinguish the attacking HTTP requests from other legitimate requests. For example, HTTP attacking packets might have a common parameter or string, which can be for example the same “User-Agent” used by the attacking script, a common POST or GET URI request, some other HTTP header parameters etc. With the ASA HTTP inspection feature you can match on this common pattern in the HTTP packet thus filter-out the attacking packets and drop them.

Recently I was engaged to help mitigate a DDoS attack on a webserver. I observed from the Apache logs that the attacking HTTP requests were all targeting the website on the same URL string, such as http://www.website.com/xyz123.  The string “xyz123” was the common pattern for all malicious HTTP requests. Thus with a policy on ASA you can match on the unique string above and drop the packets that have this string in the HTTP URI.

MORE READING:  Cisco ASA 5540

Lets see a diagram and configuration below:

asa ddos http protection

ASA Configuration:

!First create a regular expression with the unique attack string
regex attackstring xyz123

!Create an ACL to match the HTTP traffic towards the target server
access-list HTTPTRAFFIC extended permit tcp any host 1.1.1.1 eq www

!Create a regular L3/L4 class to match the traffic above
class-map attackingtraffic
 match access-list HTTPTRAFFIC

!Now create an HTTP inspection policy to match on the unique attacking string
policy-map type inspect http HTTPDOS
 parameters
 match request uri regex attackstring
  drop-connection
 match request args regex attackstring
  drop-connection

!The following policy-map will include the L3/L4 class which will include the HTTP inspection policy
policy-map BLOCKDOS
 class attackingtraffic
  inspect http HTTPDOS

!Now attach the policy-map to the ASA outside interface to inspect Inbound traffic.
service-policy BLOCKDOS interface outside

If you enable logging on the drop-connection command (use “drop-connection log“), then you will start seeing logs that the ASA is dropping packets with the matched attacking HTTP string.

Filed Under: Cisco ASA General

Download Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls


By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.












Comments

  1. Hi,

    I really appreciate such a nice article.

    + What do you think a attacker can change the string? If the attacker change the string then its mean ASA would not help us on this regards.

    + What do you think if the attacker packets size more than 500 MB – 1 GB then ASA can handle this?

    Harris please answer these because i haven’t much experience on DDOS mitigation.

    Saeed

  2. Saeed,

    If the attacker changes the string, then you can find other HTTP parameters to match on. For example, some times the “user-agent” used in the HTTP header from the attacking scripts is usually the same and looks different from the normal user-agents used from legitimate browsers (such as IE, Mozilla etc). Remember that DDoS attacks coming from BotNets use the same malware script running on infected computers. A Command-and-Control server gives instructions to the infected computers to start an attack. Since they all have the same attacking script, they all use the same HTTP communication and behavior.

    If the attack is volumetric (as you say 500MB – 1GB) then ASA can not help.

  4. Ry,

    In my workplace we are using Arbor Networks devices which are dedicated for DDoS attacks (both volumetric and application level attacks can be mitigated). They are kind of expensive but they are really good.

  7. Hi Harris,

    you said that we can not stop volumetric attack on ASA.
    “If the attack is volumetric (as you say 500MB – 1GB) then ASA can not help.”

    but in case of DNS flood attack we mitigate the volumetric attack using ASA by using modular policy framwork.
    by setting up embryonic connection . what do you say about this. and if you have any suggession then let me kknow if i am wrong.

    Thanks,
    Sujit Singh

  8. Hi Harris,

    you said that we can not stop volumetric attack on ASA.

    but in case of DNS flood attack we mitigate the volumetric attack using ASA by using modular policy framwork.
    by setting up embryonic connection . what do you say about this. and if you have any suggession then let me kknow if i am wrong.

    Thanks,
    Sujit Singh

  9. When I say volumetric attack I mean an attack with high traffic that fills up the whole “pipe”. This attack can not be mitigated by the ASA. If the DNS flood attack does not fill up the whole network connection then it can be mitigated.

  12. Hello Harris,

    no problem

    we have attacks using GET and POST

    using for example xyzattack(

    using this tutorial, replacing attackstring to xyzattack(

    will deny access using GET and POST ?

    Thanks,

  13. apologise, and if a have multiples attackstrings, how i can add all strings on the system to deny access ?

  14. The configuration described in this article matches only GET requests with strings appearing in the URL. For matching POST request with strings appearing in the Body of the HTTP then you must change the “match” command to “match request method post”.

    Also for attacks that use multiple strings you will need to do some regular expression matching (not easy). It all depends to the actual situation.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to amazon.com, amazon.co.uk , amazon.de, amazon.it, amazon.es and affiliated sites.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING