Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
9
Replies

Brute force attacks towards ASA

Sonflaa
Level 1
Level 1

‎04-23-2024 05:14 AM

Hi!

The last weeks it has been a big increase of brute force attempts from all over the world to our Cisco ASAs. We use two factors, so we're not to afraid that they will actually access any of our accounts, but the problem is that they manage to block users.

We use Microsoft NPS as radius server for some of our accounts, and for some reason this auto-maps the users with partial username. For example: the attackers type in reception, and the NPS auto-maps this to an actual user (for example reception@domain.com).

I have tried to find a way so that the auto-mapping doesn't happen on the NPS, but I couldn't find a proper way to make this work.

I have also tried the threat-detection scanning-threat shun command, but the addresses doesn't get blocked. At this point we are manually blocking the IP's that the attacks come from, but they just change the addresses. We have blocked thousands of IP's until now.

Do any of you have any suggestions to what we can try? We will get rid of the NPS soon, but until then, we need some fix.

Thank you in advance.

Best!

Labels:
0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎04-23-2024 05:29 AM

@Sonflaa cisco recently released this guide to harden Remote Access VPN guides:- https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html#toc-hId-1707182889

 

0 Helpful

Sonflaa
Level 1
Level 1
In response to Rob Ingram

‎04-23-2024 06:12 AM

Hi Rob!

Thank you for this. Yes, this will harden the ASA, but with 400 tunnel-groups configured, and 20000 users connecting, it would be a big project to change all of the URL's. We will do that, but it will take some time. In the meantime we would like to stop the attacks somehow.

0 Helpful

Aref Alsouqi
VIP
VIP

‎04-23-2024 05:54 AM

Unfortunately I don't believe the ASA would provide you with any stable functioning protection against brute force attacks and it sadly can't block the geo traffic destined to itself. However, I think if you switch to certificates authentication at least you would know that the firewall wouldn't process any request without a valid certificate and will cut off all that unnecessary traffic to the RADIUS server.

0 Helpful

Sonflaa
Level 1
Level 1
In response to Aref Alsouqi

‎04-23-2024 06:10 AM

Hi Aref! 

Thank you for your reply. Yes, changing to certificate would fix the problem, but we have almost 400 tunnel-groups so that's a big project (we are on it, but we would like to stop the attacks) that will take months. 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to Sonflaa

‎04-23-2024 06:16 AM

How about configuring a control plane access list denying all the countries that shouldn't initiate any connection to the ASA allowing the others?

0 Helpful

Sonflaa
Level 1
Level 1
In response to Aref Alsouqi

‎04-23-2024 06:55 AM

We have customers from all over the world, so denying whole countries isn't an option, unfortunately.

0 Helpful

tvotna
Spotlight
Spotlight
In response to Sonflaa

‎04-23-2024 09:31 AM

Set up another device which can do TLS/JA3 filtering in front of the firewall. This has been proved to be the most efficient way of allowing traffic from real AnyConnect clients and dropping everything else over TCP/443.

 

0 Helpful

bbitarovsky
Level 1
Level 1

‎04-24-2024 06:01 AM - edited ‎04-24-2024 06:15 AM

Hi Sonflaa,

Just try to mitigate attack before Radius. Cisco has released recomandations against password spray attack: Recommendations Against Password Spray Attacks Impacting Remote Access VPN Services - Cisco

look at step 2: Apply Hardening Measures for Remote Access VPN
-> Disable AAA Authentication in the DefaultWEBVPNGroup and DefaultRAGroup Connection Profiles -> u can use authenticate by certificate or Using sinkholeRadius (new ldap Radius without configuration)
-> point the DefaultRAGroup and DefaultWEBVPNGroup to this Radius
conf: aaa-server AAA_Sinkhole protocol ldap
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group AAA_Sinkhole
tunnel-group DefaultRAGroup general-attributes
authentication-server-group AAA_Sinkhole

If u are using group-aliases under tunnel-group, the default tunnell-group/connection-profile(DefaultWEBVPNGroup ) is not hiting. My advise is disable group-aliases, if u can't do so and your users is using it. Just try configure dummy tunnell-group/connection-profile which will attackers hit (for example tunell-group aaa-sinkhole, group-alias aaa enable).

Also look at Git IOCs/2024/04 at main · Cisco-Talos/IOCs · GitHub (attackers IP file-> large-scale-brute-force-activit..).

Good luck!

0 Helpful

Gopinath_Pigili
Spotlight
Spotlight

‎04-24-2024 06:26 AM

Hello Sonflaa,

Please follow the link below...you can find similar kind of discussion...hope it is helpful....

https://community.cisco.com/t5/email-security/asa-webvpn-brute-force-attack/td-p/4411454

Best regards
******* If This Helps, Please Rate *******

0 Helpful
Customers Also Viewed These Support Documents