Cisco ASA daily backup with Embedded Event Manager

Did you know that you can use the EEM Embedded Event Manager in Cisco ASA (from v9.1) to schedule a daily backup of the firewall running-config to an external server?

In this example I backup the configuration once daily to my local FTP server but backups can be sent to TFTP, SCP, SMB and other file locations as well. Very handy!


event manager applet backupconfig
 event timer absolute time 13:52:00
 action 0 cli command "copy /noconfirm running-config ftp://asabackup:asabackup@"
 output none
Posted in Uncategorized

How to set static ip in Linuxes like Kali

  1. sudo pico /etc/network/interfaces
  2. Add the following, modify as needed
    allow-hotplug eth0
    iface eth0 inet static
  3. service networking restart
Posted in Uncategorized

DDoS attacks – an explanation of amplified reflective UDP-based attacks

One of the most common types of DDoS attacks is the UDP-based amplified reflection attack. I will now explain how this attack works and what makes it so hard to protect against it.

The most targeted systems is web servers. Any system attached to internet can be victim of a DDoS attack and this attack works just as well on all types of systems. But for this video, lets assume that the victim is the web server.

This system is connected to internet via a local internet connection with a bandwidth of lets say 200 Megabits per second. There is a firewall filtering and inspecting all traffic between the web server and internet. It has a capacity of 500Mbps. The internal network has a capacity of 1 Gbps, that is roughly 1000 Mbps. Finally the web server itself can handle 100Mbps.

This system is sized for 100Mbps which means that the weaker link of the chain, which is the web server, has a capacity of 100Mbps. If there would ever be a demand for more traffic, the web server could be upgraded to handle more traffic and the bottleneck would instead be the internet connection of 200Mbps. This upgrade race could continue forever upgrading the weakest point of the traffic flow to keep up with the demands of bandwidth and performance.

When it comes to UDP-based attacks however, the traffic flow normally stops and terminates in the firewall.

This means that the capacity of the parts behind the firewall is irrelevant and in this case the weakest link is the 200Mbps internet link.

If the link, or the firewall is exhausted, it will start dropping packets. The result of this is retransmissions and eventually outage of service. The webpage will become slow or unresponsive.

So, if the weakest link is 200Mbps, all it takes to do a Denial of Service attack is to generate more than 200Mbps of traffic.

If Evil Bob who have the intention to attack the web server has more than 200Mbps of bandwidth at home he could in theory create this attack all by himself. However, doing that will most probably draw attention to him from his ISP when generating that massive amount of traffic.

Instead of generating this traffic directly to the victim web server he generates traffic to reflectors. The reflectors are servers on internet that has no intentions to be part of any DoS-attack.

To be able to do a reflective DoS-attack the attacker uses UDP which is stateless. He sends traffic to the reflector using the victim web server as source address for the traffic, which makes the reflectors believe that the traffic came from the web server, and the reflectors will send replies to the web server.

If the attacker used TCP packets which are stateful, the packet from the attacker would be a SYN-packet and the response from the reflector to the victim would be a SYN-ACK-packet which has no payload and is rather small.

By using any kind of stateless UDP-packets where the query, the first packet, is small and the response, in this case sent from the reflector to the victim, is bigger, the attack would be amplified. If the amplification factor was 1 to 10, the attacker could generate 20Mbps of UDP queries to the reflectors and the responses fro the reflector to the victim would be 10 times bigger, 200Mbps. This is called an amplified attack.

There are different types of UDP-based protocols used in amplification attacks today. The most common types uses DNS or NTP-servers. In both cases, proper configured DNS and NTP-servers does not answer to this types of queries. But there are many not properly configured DNS and NTP-servers on internet which can be used as reflectors for these attacks.

To further strengthen these attacks, the attacker does not send the UDP-packets himself to the reflectors. Instead he uses botnets for this. A botnet is a number of malware infected computers spread over the world that the botnet controller can use for various purposes. Your or mine virus infected computer can be part of this botnet. If the infected computer does not do anything active it is called a zombie. It is often a background process running in the computer invisible for you and me, just waiting for commands from the command and control server managing the botnet.

In the DDoS-scenario the botnet command server is called a stresser or booter delivering DDoS-attacks as a service on internet. Anyone with a credit card can pay a few dollars to the person in charge with the stresser and this will deliver a DDoS-attack against the target of choise.

So, in a typical DDoS-attack, Evil Bob is just a person wanting to take down a service on internet. He visits a web page delivering stresser services. He enters his credit card number and points out the address to the target he wants to take down and depending on how much he pays, the stresser will deliver an attack at a certain bandwidth and time. The more money, the more traffic is sent and for a longer period. A normal price can be 30 minutes of attack at a rate of 1.5Gbps at a cost of 15 USD.

The stresses will send commands to the botnet, and the botnet members sends UDP packets to the reflectors with spoof source IP addresses. The reflectors sends their amplified responses to the target.

The challenge with mitigating these attacks onsite is that you need to have enough bandwidth and resource to handle the incoming attacks. Today many attacks are in the the amplitude of one of several Gigabits per second so upgrading the internet connection and firewall to handle this amount of traffic would protect the internal resources from being exhausted. But the price that comes with handling all this traffic is in most cases unrealistic high. And the only thing left to do is to filter and block this traffic before it reaches the weakest links of the chain. Most major ISP:s can today handle this traffic and filtering the DDoS attack within your ISP premises is often the only option left. If they can deliver this service. And if the price for this service is reasonable.

There are a few long term solutions to DDoS-attacks.

First of all, botnets are being used as a tool to scale up DDoS-attacks. Working with eliminating botnets and malware will reduce the impact of DDoS attacks.

Second, unpatched servers being used as reflectors should be upgraded and properly configured. When using DNS-service as amplifying reflectors, the attacker takes advantage of the fact that the server is configured as an open resolver. In most cases the DNS-servers should be configured like this and proper configuration of these servers would make them less attractive as amplifying reflectors.

Third. In my opinion the most powerful counterfeit of DDoS attacks would be of ISP:s around the world would implement unicast reverse path forwarding, also known as uRPF. This is also called source filtering. When an ISP that has customers that are part of bonnets that is being used in DDoS-attacks, these client computers sends spoofed packets. This is being allowed by each local ISP since they do not verify the source address of the traffic coming from their customers. The ISP knows that traffic sourced from their customer should have certain specific ranges of addresses in the source field of the IP packets. Today most ISP:s does not implement uRPF which makes source address spoofing easy to use.

DDoS attacks are in my opinion the biggest and most severe threat to todays internet. And there is no silver bullet that protects us. And as long as anyone with a credit card and 25 dollars can buy an attack we will see these attacks.

My name is Jimmy Larsson, please visit my blog at

Tagged with: , , , , , , , ,
Posted in General Security, Security

How to setup ssh keypair authentication in Cisco ASA

I created a short video on how to configure Cisco ASA to allow a CLI user to authenticate with RSA keypair when connecting with SSH instead of username/password. See video below.

In short, this is how to do it:

username johndoe nopassword
username johndoe attributes
ssh authentication publickey XXXXXXXX

(Replace XXXXXX with the users public key)

When connecting with “ssh johndoe@firewallip” the user will be granted CLI access without a password prompt.


Tagged with: , , ,
Posted in Cisco Security, Security


I am currently attending Cisco Live in Berlin. The schedule is stuffed with various nice topics! One of the sessions I just attended was about OpenDNS. I have heard about it and read about it but no more. Since the Cisco acquicision of OpenDNS it is not part of the Cisco Security portfolio.


OpenDNS is a cloud based service that operates between the clients (your and mine computer) and the authoritative DNS servers on internet. By injecting a layer of control into the DNS flow it is possible for OpenDNS to protect us from going to bad sites on internet.

OpenDNS handles more than 80 BILLION dns requests everyday and sees more than 3% of the internet traffic today. With all the insight of internet behaviour they have the power to detect compromized systems, malware C&C-traffic and newly registrated domains used by bad stuff like ranzomware.


It took me less than 5 minutes to sign up for a 14 day trial of OpenDNS, configure basic settings and implement the controls on my laptop as well as iPhone. I have run it for 24h so far and it works great!

Implementing OpenDNS och roaming clients (devices who are not always on the same network) means that some kind of agent/client must be installed. The OpenDNS-client is called Umbrella. This agent authenticates me to the OpenDNS cloud to ensure that the correct policies are implemented (what sites am I allowed to access on internet). Umbrella also makes sure that my DNS traffic is sent to the OpenDNS cloud.


Umbrella Mac





What happens behind the scenes? First, let´s do a DNS lookup on my computer running Umbrella:

jimmy$ dig
; <<>> DiG 9.8.3-P1 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58382
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;            IN    A

;; ANSWER SECTION:        271    IN    A        271    IN    A        271    IN    A        271    IN    A        271    IN    A

;; Query time: 15 msec
;; WHEN: Wed Feb 17 10:03:21 2016
;; MSG SIZE  rcvd: 112

I use as resolver, this was certanly not the case before installing the Umbrella agent.


I have created a custom policy in the OpenDNS cloud that blocks traffic to, just as a test:

Screenshot 2016-02-17 10.07.40


What happens when my computer resolves the entry of

jimmy$ dig

; <<>> DiG 9.8.3-P1 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39839
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;            IN    A

;; ANSWER SECTION:        0    IN    A

;; Query time: 13 msec
;; WHEN: Wed Feb 17 10:03:34 2016
;; MSG SIZE  rcvd: 43


Looks ok, right? Wait, what is that ip


jimmy$ whois

# ARIN WHOIS data and services are subject to the Terms of Use
# available at:
# If you see inaccuracies in the results, please report at

# Query terms are ambiguous.  The query is assumed to be:
#     “n”
# Use “?” to get help.

# The following results may also be obtained via:

NetRange: –
NetName:        RIPE-ERX-146-112-0-0
NetHandle:      NET-146-112-0-0-1
Parent:         NET146 (NET-146-0-0-0-0)
NetType:        Early Registrations, Transferred to RIPE NCC
Organization:   RIPE Network Coordination Centre (RIPE)
RegDate:        2004-02-04
Updated:        2004-02-04
Comment:        These addresses have been further assigned to users in
Comment:        the RIPE NCC region.  Contact information can be found in
Comment:        the RIPE database at


OrgName:        RIPE Network Coordination Centre
OrgId:          RIPE
Address:        P.O. Box 10096
City:           Amsterdam
PostalCode:     1001EB
Country:        NL
Updated:        2013-07-29

ReferralServer:  whois://

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName:   Abuse Contact
OrgAbusePhone:  +31205354444

OrgTechHandle: RNO29-ARIN
OrgTechName:   RIPE NCC Operations
OrgTechPhone:  +31 20 535 4444

# ARIN WHOIS data and services are subject to the Terms of Use
# available at:
# If you see inaccuracies in the results, please report at

% This is the RIPE Database query service.
% The objects are in RPSL format.
% The RIPE Database is subject to Terms and Conditions.
% See

% Note: this output has been filtered.
%       To receive output for a database update, use the “-B” flag.

% Information related to ‘ –’

% No abuse contact registered for –

inetnum: –
netname:        OpenDNS-RIPE
descr:          OpenDNS
country:        EU
admin-c:        ODNS36692-RIPE
tech-c:         ODNS36692-RIPE
status:         LEGACY
mnt-by:         OPENDNS-MNT
mnt-routes:     OPENDNS-MNT
mnt-domains:    OPENDNS-MNT
mnt-by:         OPENDNS-MNT
mnt-lower:      OPENDNS-MNT
created:        1970-01-01T00:00:00Z
last-modified:  2015-07-29T11:50:40Z
source:         RIPE # Filtered

role:           OPENDNS NETENG TEAM
address:        OpenDNS
address:        675 West Hastings Street, Suite 500
address:        Vancouver BC V6B 1N2
address:        Canada
phone:          +1 415 513 0439
nic-hdl:        ODNS36692-RIPE
mnt-by:         OPENDNS-MNT
created:        2014-05-29T13:22:57Z
last-modified:  2015-01-22T18:28:03Z
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.85.1 (DB-2)

Oh, it seems that the the DNS lookup is intercepted and that the A-records points to OpenDNS instead of the site. That can be confirmed by trying to browse to the site

Screenshot 2016-02-17 10.07.59

OpenDNS is not a full web protection system. It does not analyze the traffic, it cannot malware scan web content. But it can drop traffic to dark sides of internet just by using DNS. Not only for web and browser but for ALL Traffic in the client that uses DNS. This is cool!


Posted in Uncategorized


[mc4wp_form id="2457"]
Website Security Test