Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
2
Replies

ASA/PIX Dos Mitigation

jon.humphries
Level 1
Level 1

‎12-11-2008 12:30 AM - edited ‎03-11-2019 07:24 AM

Hi All,

I have the following scenario;

Hacker or virus ---> ASA/PIX MPF ---> Router or Device endpoint

I use syslog traffic in this example but I have done it with ICMP, telnet etc .... The idea is to drop the traffic based upon the class-map.

class-map hack

match port udp eq 514

policy-map inside

class hack

set connection conn-max 1

police input 8000 conform-action drop exceed drop

service-policy inside interface inside

I'm getting matches against the service-policy but the traffic doesn't drop ...

Interface inside:

Service-policy: inside

Class-map: syslog

Set connection policy: conn-max 1

current conns 1, drop 0

Input police Interface inside:

cir 8000 bps, bc 1500 bytes

conformed 3 packets, 375 bytes; actions: drop

exceeded 0 packets, 0 bytes; actions: drop

conformed 80 bps, exceed 0 bps

Labels:
0 Helpful
2 Replies 2

vvarakan
Level 1
Level 1

‎12-11-2008 10:06 AM

You current connection count is only 1 so you will not see any drops.

0 Helpful

jon.humphries
Level 1
Level 1
In response to vvarakan

‎12-14-2008 08:11 AM

Hi,

It looks like my issue, was that the CIR police mechanisim is there for rate limiting as opposed to dropping the connection.

I misunderstood the functionality of this feature.

Many thanks for your input.

Jon Humphries

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card