ASA DDoS / syn flood protection

Unanswered Question
Jun 30th, 2009
User Badges:

Hi, I am trying to prevent DDoS / SYN flood attacks on an ASA5505 (simplest version, DMZ restricted license). The ASA is in front of a Web server with approximately 2500 unique visits a day. only port 80 and 53tcp/udp are open


Once or twice a day I see a large amount of errors like:


%ASA-5-321001: Resource 'conns' limit of 10000 reached for system




Here is what I have done so far:




class-map CONNS-MAP

match any


policy-map CONNS-POLICY

class CONNS-MAP

set connection conn-max 3000 embryonic-conn-max 6000 per-client-max 500 per-client-embryonic-max 1000

set connection timeout embryonic 0:40:00 half-closed 0:20:00 tcp 2:00:00 dcd

!

service-policy CONNS-POLICY interface outside




threat-detection basic-threat

threat-detection scanning-threat shun except ip-address myip 255.255.255.255

threat-detection scanning-threat shun except ip-address 4.2.2.2 255.255.255.255

threat-detection scanning-threat shun except ip-address 4.2.2.3 255.255.255.255

threat-detection scanning-threat shun except ip-address insideserverip 255.255.255.255

threat-detection scanning-threat shun duration 3600

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept




Does this look good? Is there anything I should change / tweak / or add?


Please advise.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abinjola Wed, 07/01/2009 - 00:34
User Badges:
  • Cisco Employee,

Yes looks good..but chances are you may hit


CSCsk18037 per-client connection feature not working

Stuart Hare Wed, 07/01/2009 - 04:02
User Badges:

Your using match any in your class map is this desirable? Are you just looking for ddos protection to your web svr?


You could create an access-list for any src to your web server on just those 80 and 53 ports, and match that in your class map, may reduce the amount of conns that are being inspected.


Also you could have done this simply by using a static nat cmds, max conn and max embryonic conns vlaues for that server.


Just depends on what you are trying to achieve.


HTH


Stu

c0ldshadow Wed, 07/01/2009 - 19:20
User Badges:

I am running into a problem, lots of error message in the log like:




3 Jul 01 2009 18:04:30 201013 10.1.1.1 38417 192.5.6.32 53 Per-client connection limit exceeded 500/500 for output packet from 10.1.17.6/38417 to 192.5.6.32/53 on interface outside





4 Jul 01 2009 18:04:46 733100 [ Scanning] drop rate-1 exceeded. Current burst rate is 14 per second, max configured rate is 10; Current average rate is 24 per second, max configured rate is 5; Cumulative total count is 14695




3 Jul 01 2009 18:04:10 201013 10.1.1.1 51226 199.71.0.63 53 Per-client connection limit exceeded 500/500 for output packet from 10.1.17.6/51226 to 199.71.0.63/53 on interface outside








I removed per-client-max and set up CONNS-ACL to be:


access-list CONNS-ACL extended permit ip any host 10.1.1.1



My new config is as follows:


class-map CONNS-MAP

match access-list CONNS-ACL



policy-map CONNS-POLICY

class CONNS-MAP

set connection conn-max 3000 embryonic-conn-max 6000 per-client-embryonic-max 1000

set connection timeout embryonic 0:40:00 half-closed 0:20:00 tcp 2:00:00 dcd



service-policy CONNS-POLICY interface outside



should this fix the problem?



thanks!


Actions

This Discussion