Details

A firewall experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering, resulting in route flapping and will eventually black-hole production traffic.

The device must be configured to contain and limit a DoS attack’s effect on the device’s resource utilization. The use of redundant components and load balancing are examples of mitigating ‘flood-type’ DoS attacks through increased capacity.

Solution

Configure threat detection as shown in the example below.

ASA(config)# threat-detection basic-threat

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Cisco.

References

• 800-53|SC-5(2)
• CAT|II
• CCI|CCI-001095
• Rule-ID|SV-239860r665866_rule
• STIG-ID|CASA-FW-000150
• Vuln-ID|V-239860

Source

• Tenable.com/audits