We have done extensive testing today on Cisco ASA 5550 (Legacy) and 5515-X (latest generation) and have noted the following:


- Not only ICMP type 3, code 3 can be used for this. We get the same CPU load for type 3, code 4 and similar, but slightly lower CPU load for type 11, code 0 (TTL exceeded)

- Even if packets towards the outside interface of the ASAs generated the highest load, packets towards any inside host contributes about 2/3 of the load of those directed to the ASA outside address (this was tested using 5550, not 5515-X).

- When mitigating using:

icmp deny any unreachable outside
icmp deny any time outside

 

the reduction in load is less than 50% on packets towards the ASA outside IP, but it does not affect the load of packets towards hosts behind the ASA550. On 5515-X it did not prevent 100% CPU on 50k packets per second with type 3 ICMP packets.

- Very surprisingly, the load on a 5515-X was higher given the same # of ICMP packets per second than on a 5550. A 50K packet stream only triggered between 60% and 80% CPU on 5550, but 100% on 5515-X. Almost everything we did resulted in 100% CPU on 5515-X with 50k packets/second.




Here are some more details on our 5550 measurements:

Without recommended mitigation:
Verified the following (results vary slightly between runs):
ICMP 3 4 50K packets towards outside:  80% CPU
ICMP 3 4 50K packets towards host on inside:  65% CPU
ICMP 3 3 50K packets towards outside: 78%
ICMP 3 3 50K packets towards host on inside: 53%
ICMP 11 0 50K packets towards outside: 72%
ICMP 11 0 50K packets towards host on inside: 52%

With recommended mitigation + TTL exceeded mitigation:

icmp deny any unreachable outside
icmp deny any time outside
Verified the following (results vary between runs):
ICMP 3 4 50K packets towards outside:  45% CPU
ICMP 3 4 50K packets towards host on inside:  62% CPU
ICMP 3 3 50K packets towards outside: 50%
ICMP 3 3 50K packets towards host on inside: 63%
ICMP 11 0 50K packets towards outside: 50%
ICMP 11 0 50K packets towards host on inside: 52%