ASA/PIX Dos Mitigation

Unanswered Question
Dec 11th, 2008
User Badges:

Hi All,

I have the following scenario;

Hacker or virus ---> ASA/PIX MPF ---> Router or Device endpoint

I use syslog traffic in this example but I have done it with ICMP, telnet etc .... The idea is to drop the traffic based upon the class-map.

class-map hack

match port udp eq 514

policy-map inside

class hack

set connection conn-max 1

police input 8000 conform-action drop exceed drop

service-policy inside interface inside

I'm getting matches against the service-policy but the traffic doesn't drop ...

Interface inside:

Service-policy: inside

Class-map: syslog

Set connection policy: conn-max 1

current conns 1, drop 0

Input police Interface inside:

cir 8000 bps, bc 1500 bytes

conformed 3 packets, 375 bytes; actions: drop

exceeded 0 packets, 0 bytes; actions: drop

conformed 80 bps, exceed 0 bps

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vvarakan Thu, 12/11/2008 - 10:06
User Badges:

You current connection count is only 1 so you will not see any drops.

jon.humphries Sun, 12/14/2008 - 08:11
User Badges:


It looks like my issue, was that the CIR police mechanisim is there for rate limiting as opposed to dropping the connection.

I misunderstood the functionality of this feature.

Many thanks for your input.

Jon Humphries


This Discussion