throttling a runaway host

Unanswered Question

We've got a security server running Retina that recently ran away and opened up tens of thousands of connections through our Pix 515E to devices it's supposed to scan. This caused memory on the PIX to run low, caused dropped connections on other sessions running through the pix, and generally made life unhappy. Quick solution was to unplug the server from the net, run a clear xlate, and put in a new access list with a line "deny ip host <server ip> any" in it to prevent it from reaching out again.

What I'm wondering is:

Is there a way to limit the number of TCP connections that particular host can initiate through the firewall?

Is there a way to clear ONLY the connections that host has opened, rather than the "clear xlate" command which kills ALL the sessions running through the firewall? The SA's and DBA's get annoyed when all their SSH sessions drop.

PIX OS is 6.3.5(125)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dhananjoy chowdhury Mon, 06/22/2009 - 21:24
User Badges:
  • Silver, 250 points or more

On PiX running 6.3, you can do it using the options max_conns /emb_limit of the static command.

But pix6.3 does not verify the TCP checksum of packets transiting through the firewall. It holds the half-open TCP connection open until the embryonic timeout in 2mins.

Because the firewall is holding a connection open, any additional packets with the same protocol, IP addresses, and ports will be treated as part of the existing half-open connection. In this case, a legitimate SYN packet following the malformed SYN will be discarded because it is outside of the window of acceptable sequence numbers established by the malformed packet.

However, if you upgrade to 7.0 or above then you can try something like this to check for tcp connections coming on any interface of the PIX.

access-list TCP-ACL permit tcp any any

class-map TCPX

match access-list TCP-ACL

policy-map global_policy

class TCPX

set connection conn-max 500

set connection embryonic-conn-max 200

set connection timeout embryonic 0:00:10

service-policy global_policy global


You can refer this doc.

Hope this helps.


This Discussion