Posted: Thu Aug 12, 2010 9:10 pm Post subject: Blocking DOS - IP Spoofing Attacks - Help!
I have a small network using a Cisco ASA5505 and a block of dedicated IP's from Time Warner. We have 3 external facing IP addresses using NAT on the ASA to allow traffic to and from our Exchange Server and web sites. Recently we have noticed our ASA is locking up thus causing internet traffic to stop until the ASA is reset. In addition to this we have noticed our AD-DC is receiving authentication requests from someone trying to login using random login names to our Domain. So far they have not been successfull in gaining access to our servers but they are causing issues with the server and ASA having to respond to their requests.
I have checked the IP's that are logged in Event Viewer on the Domain Controller and they are spoofed IP's from sites in other countries. The majority of the attempts come from an IP address of a web site in China which turned out to be a Jingju Opera site. We have also received attempts from IP's that are registered to organizations in the Sovient Union that are hosting by a company called RIPE.
Does anyone have any ideas for how I can block this traffic and stop the attacks? If they are attempting the login to the DC it's safe to assume they have made it past the firewall and are probably using an HTTP port to gain access, correct?
Is your domain controller accessible from the Internet in any way? That is, on the ASA are there any static's and access control entries (ACE's) in an access control list (ACL) that allow traffic from the outside to the inside destined for the inside IP of your domain controller?
If so, evaluate the need to expose your domain controller to the Internet.
If not, then it is definitely possible that a compromised host on the inside is attempting to gain access to the domain controller using a spoofed IP.
Your firewall is a good place to prevent outsiders getting in. However, application layer protocols like HTTP carry a lot of nasties to infect and exploit clients which then are on the inside. To protect the inside you have to protect your layer 2 network as well. This will require a switch worthy of the task. In small businesses that care about this sort of thing the Catalyst 2960 is the entry level. The "Cisco for Small Business" Switches are GUI only and work sub-par compared to Catalyst switches at the access layer.
On Layer 2 Network:
Enable DHCP Snooping
Enable IP Source Guard
Enable Dynamic ARP inspection
Enable Port-Security (be careful here)
On the hosts:
Solid Anti-Malware (Sunbelt VIPRE is second to none, not to start a holy A/V war)
If RDP is required, only allow the network you actually use. You can find the network using whois do determine which network blocks you and your coworkers come from. So no more login attempts from Russia and China.
Update the image on the ASA, because several DoS have been released. Read the Cisco advisories about that.
I think they are not spoofing the IP addresses, they are actually coming from all over the place because they have a botnet and are relaying the connections through the bots.
Why is your domain controller exposed to the internet?
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum