06-30-2009 09:40 PM - edited 03-11-2019 08:49 AM
Hi, I am trying to prevent DDoS / SYN flood attacks on an ASA5505 (simplest version, DMZ restricted license). The ASA is in front of a Web server with approximately 2500 unique visits a day. only port 80 and 53tcp/udp are open
Once or twice a day I see a large amount of errors like:
%ASA-5-321001: Resource 'conns' limit of 10000 reached for system
Here is what I have done so far:
class-map CONNS-MAP
match any
policy-map CONNS-POLICY
class CONNS-MAP
set connection conn-max 3000 embryonic-conn-max 6000 per-client-max 500 per-client-embryonic-max 1000
set connection timeout embryonic 0:40:00 half-closed 0:20:00 tcp 2:00:00 dcd
!
service-policy CONNS-POLICY interface outside
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address myip 255.255.255.255
threat-detection scanning-threat shun except ip-address 4.2.2.2 255.255.255.255
threat-detection scanning-threat shun except ip-address 4.2.2.3 255.255.255.255
threat-detection scanning-threat shun except ip-address insideserverip 255.255.255.255
threat-detection scanning-threat shun duration 3600
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
Does this look good? Is there anything I should change / tweak / or add?
Please advise.
Thanks
07-01-2009 12:34 AM
Yes looks good..but chances are you may hit
CSCsk18037 per-client connection feature not working
07-01-2009 04:02 AM
Your using match any in your class map is this desirable? Are you just looking for ddos protection to your web svr?
You could create an access-list for any src to your web server on just those 80 and 53 ports, and match that in your class map, may reduce the amount of conns that are being inspected.
Also you could have done this simply by using a static nat cmds, max conn and max embryonic conns vlaues for that server.
Just depends on what you are trying to achieve.
HTH
Stu
07-01-2009 07:20 PM
I am running into a problem, lots of error message in the log like:
3 Jul 01 2009 18:04:30 201013 10.1.1.1 38417 192.5.6.32 53 Per-client connection limit exceeded 500/500 for output packet from 10.1.17.6/38417 to 192.5.6.32/53 on interface outside
4 Jul 01 2009 18:04:46 733100 [ Scanning] drop rate-1 exceeded. Current burst rate is 14 per second, max configured rate is 10; Current average rate is 24 per second, max configured rate is 5; Cumulative total count is 14695
3 Jul 01 2009 18:04:10 201013 10.1.1.1 51226 199.71.0.63 53 Per-client connection limit exceeded 500/500 for output packet from 10.1.17.6/51226 to 199.71.0.63/53 on interface outside
I removed per-client-max and set up CONNS-ACL to be:
access-list CONNS-ACL extended permit ip any host 10.1.1.1
My new config is as follows:
class-map CONNS-MAP
match access-list CONNS-ACL
policy-map CONNS-POLICY
class CONNS-MAP
set connection conn-max 3000 embryonic-conn-max 6000 per-client-embryonic-max 1000
set connection timeout embryonic 0:40:00 half-closed 0:20:00 tcp 2:00:00 dcd
service-policy CONNS-POLICY interface outside
should this fix the problem?
thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide