Controlling SYN flooding attack

hraghav · ‎09-13-2007

We have a Cisco PIX 515E with pix ver. 6.3(4). We are receiving continuous SYN packets for one specific server. Can we control this attack by PIX 515E appliance. Pl advise how to do this if possible by PIX 515E.

Thanks in advance.

Regards,

Raghavan

micheljoh · ‎09-14-2007

Hi

Well since to my knowledge you cant use the tcp normalization in 6.3 version so you pretty much are left to use the pix?s ids function

try this:

ip audit name PIX-IDS attack action reset

ip audit interface outside PIX-IDS

ip audit attack action reset

Note that you might need to disable som signatures depending on you network you can do that with this command:

ip audit signature disable

Look up the signatures here:

http://www.cisco.com/en/US/products/products_applied_intelligence_response09186a00808b4d46.html

Hope this help you if you use 7.x version let me know then i can help you with a better config for normalisation of the tcp synflood

Regards//Michel

russ · ‎09-14-2007

I thought the Pix only supported a limited set of IDS signatures and syn attacks wasn't one of them:

PIX# sh ip audit count

Signature Global

1000 I Bad IP Options List 0

1001 I Record Packet Route 0

1002 I Timestamp 0

1003 I Provide s,c,h,tcc 0

1004 I Loose Source Route 0

1005 I SATNET ID 0

1006 I Strict Source Route 0

1100 A IP Fragment Attack 0

1102 A Impossible IP Packet 0

1103 A IP Teardrop 0

2000 I ICMP Echo Reply 0

2001 I ICMP Unreachable 0

2002 I ICMP Source Quench 0

2003 I ICMP Redirect 0

2004 I ICMP Echo Request 0

2005 I ICMP Time Exceed 0

2006 I ICMP Parameter Problem 0

2007 I ICMP Time Request 0

2008 I ICMP Time Reply 0

2009 I ICMP Info Request 0

2010 I ICMP Info Reply 0

2011 I ICMP Address Mask Request 0

2012 I ICMP Address Mask Reply 0

2150 A Fragmented ICMP 0

2151 A Large ICMP 0

2154 A Ping of Death 0

3040 A TCP No Flags 0

3041 A TCP SYN & FIN Flags Only 0

3042 A TCP FIN Flag Only 0

3153 A FTP Improper Address 0

3154 A FTP Improper Port 0

4050 A Bomb 0

4051 A Snork 0

4052 A Chargen 0

6050 I DNS Host Info 0

6051 I DNS Zone Xfer 0

6052 I DNS Zone Xfer High Port 0

6053 I DNS All Records 0

6100 I RPC Port Registration 0

6101 I RPC Port Unregistration 0

6102 I RPC Dump 0

6103 A Proxied RPC 0

6150 I ypserv Portmap Request 0

6151 I ypbind Portmap Request 0

6152 I yppasswdd Portmap Request 0

6153 I ypupdated Portmap Request 0

6154 I ypxfrd Portmap Request 0

6155 I mountd Portmap Request 0

6175 I rexd Portmap Request 0

6180 I rexd Attempt 0

6190 A statd Buffer Overflow 0

Signature 3050 on the IPS is the signature for SYN attacks, but this is clearly not listed above.

micheljoh · ‎09-14-2007

:)

Oupps correct it supports only a limited set of signatures i took it for granted that syn attacs was one of them

I will se if i can find something out for you ;)

Regards//Michel

nefkensp · ‎09-14-2007

What you can do to "conserve" the host being attacked is using the embryonic connection options in the static command.

You probably have a static configured for that host.

Check the static command in the manual:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694

micheljoh · ‎09-14-2007

Didn?t think of that one! :)

Also you can limit the embryonic connections in the nat command!

Example to limit embryonic sessions to 50:

nat (inside) 1 access-list Nat-List 0 50

on the static command:

static (inside,outside) xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy 0 50