Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Cisco ASA General / How to Block HTTP DDoS Attack with Cisco ASA Firewall

How to Block HTTP DDoS Attack with Cisco ASA Firewall

Written By Harris Andrea

Denial of Service attacks (DoS) are very common these days. Especially Distributed DoS attacks (called also DDoS) can be executed quite easily by attackers who own large networks of BotNets.

Thousands of malware-infected computers (which comprise the so called “BotNets”) are controlled by attackers and can be instructed to start attacks at any target.

Usually WebSites are targeted more frequently. Bringing down a website can have a negative effect to the image (in addition to any financial loss) of the company owing the site.

A DDoS attack can be purely “volumetric”, which means that the attacker just sends high volume of packets as quickly as possible to flood the bandwidth of the “pipe” connecting the website to the Internet.

Also, DDoS attacks can be “Application Resource Exhaustion” which means that the attacking computers create thousands of application requests (e.g HTTP Requests) to a server, thus consuming the application resources.

A Cisco ASA Firewall can not help much in a “volumetric” DDoS attack. In such an attack, a dedicated DDoS device is needed or your ISP must do some kind of rate limiting to mitigate the attack.

MORE READING:  New Cisco ASA 5506-X / 5508-X will replace ASA 5505

However, for “Application Exhaustion” attacks a Cisco ASA can help to some extend with HTTP inspection using the Modular Policy Framework mechanism of ASA. This is what we are going to describe in this article.

Usually, HTTP Application DDoS attacks have a pattern or string which helps you distinguish the attacking HTTP requests from other legitimate requests.

For example, HTTP attacking packets might have a common parameter or string, which can be for example the same “User-Agent” used by the attacking script, a common POST or GET URI request, some other HTTP header parameters etc.

With the ASA HTTP inspection feature you can match on this common pattern in the HTTP packet thus filter-out the attacking packets and drop them.

Recently I was engaged to help mitigate a DDoS attack on a webserver. I observed from the Apache logs that the attacking HTTP requests were all targeting the website on the same URL string, such as http://www.website.com/xyz123. 

The string “xyz123” was the common pattern for all malicious HTTP requests. Thus with a policy on ASA you can match on the unique string above and drop the packets that have this string in the HTTP URI.

MORE READING:  Cisco ASA 5505, 5510 Base Vs Security Plus License Explained

Lets see a diagram and configuration below:

asa ddos http protection

ASA Configuration:

!First create a regular expression with the unique attack string
regex attackstring xyz123

!Create an ACL to match the HTTP traffic towards the target server
access-list HTTPTRAFFIC extended permit tcp any host 1.1.1.1 eq www

!Create a regular L3/L4 class to match the traffic above
class-map attackingtraffic
 match access-list HTTPTRAFFIC

!Now create an HTTP inspection policy to match on the unique attacking string
policy-map type inspect http HTTPDOS
 parameters
 match request uri regex attackstring
  drop-connection
 match request args regex attackstring
  drop-connection

!The following policy-map will include the L3/L4 class which will include the HTTP inspection policy
policy-map BLOCKDOS
 class attackingtraffic
  inspect http HTTPDOS

!Now attach the policy-map to the ASA outside interface to inspect Inbound traffic.
service-policy BLOCKDOS interface outside

If you enable logging on the drop-connection command (use “drop-connection log“), then you will start seeing logs that the ASA is dropping packets with the matched attacking HTTP string.

DOWNLOAD THIS ARTICLE AS PDF FILE

Related Posts

  • What is Cisco ASA Firewall – All you need to Know
  • Traffic Rate and Bandwidth Limiting on Cisco ASA Firewall
  • Cisco ASA Firewall (5500 and 5500-X) Security Levels Explained
  • Cisco ASA 5505-5510-5520-5540-5550-5580 Performance Throughput and Specs
  • Password Recovery for the Cisco ASA 5500 Firewall (5505,5510,5520 etc)

Filed Under: Cisco ASA General

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Saeed says

    October 10, 2012 at 7:12 pm

    Hi,

    I really appreciate such a nice article.

    + What do you think a attacker can change the string? If the attacker change the string then its mean ASA would not help us on this regards.

    + What do you think if the attacker packets size more than 500 MB – 1 GB then ASA can handle this?

    Harris please answer these because i haven’t much experience on DDOS mitigation.

    Saeed

  2. BlogAdmin says

    October 10, 2012 at 7:46 pm

    Saeed,

    If the attacker changes the string, then you can find other HTTP parameters to match on. For example, some times the “user-agent” used in the HTTP header from the attacking scripts is usually the same and looks different from the normal user-agents used from legitimate browsers (such as IE, Mozilla etc). Remember that DDoS attacks coming from BotNets use the same malware script running on infected computers. A Command-and-Control server gives instructions to the infected computers to start an attack. Since they all have the same attacking script, they all use the same HTTP communication and behavior.

    If the attack is volumetric (as you say 500MB – 1GB) then ASA can not help.

  3. Ry says

    January 7, 2014 at 4:42 am

    Hi Admin,

    What device can actually mitigate the volumetric ddos attack?

    Please help.

    Thanks

  4. BlogAdmin says

    January 7, 2014 at 5:09 pm

    Ry,

    In my workplace we are using Arbor Networks devices which are dedicated for DDoS attacks (both volumetric and application level attacks can be mitigated). They are kind of expensive but they are really good.

  5. Mark says

    June 8, 2017 at 8:49 pm

    Worked great. Thanks!

  6. Harris Andrea says

    June 9, 2017 at 5:29 am

    I’m glad I helped Mark. Have a great day

    Harris

  7. SUJIT SINGH says

    December 24, 2017 at 6:43 pm

    Hi Harris,

    you said that we can not stop volumetric attack on ASA.
    “If the attack is volumetric (as you say 500MB – 1GB) then ASA can not help.”

    but in case of DNS flood attack we mitigate the volumetric attack using ASA by using modular policy framwork.
    by setting up embryonic connection . what do you say about this. and if you have any suggession then let me kknow if i am wrong.

    Thanks,
    Sujit Singh

  8. SUJIT SINGH says

    December 24, 2017 at 6:49 pm

    Hi Harris,

    you said that we can not stop volumetric attack on ASA.

    but in case of DNS flood attack we mitigate the volumetric attack using ASA by using modular policy framwork.
    by setting up embryonic connection . what do you say about this. and if you have any suggession then let me kknow if i am wrong.

    Thanks,
    Sujit Singh

  9. Harris Andrea says

    December 26, 2017 at 1:14 pm

    When I say volumetric attack I mean an attack with high traffic that fills up the whole “pipe”. This attack can not be mitigated by the ASA. If the DNS flood attack does not fill up the whole network connection then it can be mitigated.

  10. rodrigo araujo says

    April 24, 2018 at 4:53 pm

    Hi Harris,

    how i can do this using asdm ?

    thanks

  11. Harris Andrea says

    April 25, 2018 at 5:06 am

    Sorry Rodrigo, I don’t use ASDM :)

  12. Rodrigo says

    April 26, 2018 at 6:29 pm

    Hello Harris,

    no problem

    we have attacks using GET and POST

    using for example xyzattack(

    using this tutorial, replacing attackstring to xyzattack(

    will deny access using GET and POST ?

    Thanks,

  13. Rodrigo says

    April 26, 2018 at 6:32 pm

    apologise, and if a have multiples attackstrings, how i can add all strings on the system to deny access ?

  14. Harris Andrea says

    April 27, 2018 at 4:20 am

    The configuration described in this article matches only GET requests with strings appearing in the URL. For matching POST request with strings appearing in the Body of the HTTP then you must change the “match” command to “match request method post”.

    Also for attacks that use multiple strings you will need to do some regular expression matching (not easy). It all depends to the actual situation.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2023 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

60 shares