• Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Blocking DOS - IP Spoofing Attacks - Help!

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
Just Arrived
Just Arrived

Joined: 12 Aug 2010
Posts: 0


PostPosted: Thu Aug 12, 2010 9:10 pm    Post subject: Blocking DOS - IP Spoofing Attacks - Help! Reply with quote


I have a small network using a Cisco ASA5505 and a block of dedicated IP's from Time Warner. We have 3 external facing IP addresses using NAT on the ASA to allow traffic to and from our Exchange Server and web sites. Recently we have noticed our ASA is locking up thus causing internet traffic to stop until the ASA is reset. In addition to this we have noticed our AD-DC is receiving authentication requests from someone trying to login using random login names to our Domain. So far they have not been successfull in gaining access to our servers but they are causing issues with the server and ASA having to respond to their requests.

I have checked the IP's that are logged in Event Viewer on the Domain Controller and they are spoofed IP's from sites in other countries. The majority of the attempts come from an IP address of a web site in China which turned out to be a Jingju Opera site. We have also received attempts from IP's that are registered to organizations in the Sovient Union that are hosting by a company called RIPE.

Does anyone have any ideas for how I can block this traffic and stop the attacks? If they are attempting the login to the DC it's safe to assume they have made it past the firewall and are probably using an HTTP port to gain access, correct?
Back to top
View user's profile Send private message
Trusted SF Member
Trusted SF Member

Joined: 04 Jan 2003
Posts: 0
Location: WI, USA


PostPosted: Fri Aug 27, 2010 10:47 pm    Post subject: Reply with quote

Is your domain controller accessible from the Internet in any way? That is, on the ASA are there any static's and access control entries (ACE's) in an access control list (ACL) that allow traffic from the outside to the inside destined for the inside IP of your domain controller?

If so, evaluate the need to expose your domain controller to the Internet.

If not, then it is definitely possible that a compromised host on the inside is attempting to gain access to the domain controller using a spoofed IP.

On the firewall:

Your firewall is a good place to prevent outsiders getting in. However, application layer protocols like HTTP carry a lot of nasties to infect and exploit clients which then are on the inside. To protect the inside you have to protect your layer 2 network as well. This will require a switch worthy of the task. In small businesses that care about this sort of thing the Catalyst 2960 is the entry level. The "Cisco for Small Business" Switches are GUI only and work sub-par compared to Catalyst switches at the access layer.

On Layer 2 Network:

  • Enable DHCP Snooping
  • Enable IP Source Guard
  • Enable Dynamic ARP inspection
  • Enable Port-Security (be careful here)

On the hosts:

  • Patch Management
  • Solid Anti-Malware (Sunbelt VIPRE is second to none, not to start a holy A/V war)
  • Host level firewalls can be used.

Back to top
View user's profile Send private message
SF Mod
SF Mod

Joined: 08 Jun 2006
Posts: 16777209


PostPosted: Mon Aug 30, 2010 6:00 pm    Post subject: Reply with quote

If RDP is required, only allow the network you actually use. You can find the network using whois do determine which network blocks you and your coworkers come from. So no more login attempts from Russia and China.

Update the image on the ASA, because several DoS have been released. Read the Cisco advisories about that.

I think they are not spoofing the IP addresses, they are actually coming from all over the place because they have a botnet and are relaying the connections through the bots.

Why is your domain controller exposed to the internet?
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register