rate limit new tcp connections per second

Unanswered Question
Sep 16th, 2010

Does anyone know the best way to limit the number of incoming new tcp connections to a server through a Cisco ASA Firewall.

I am guessing it is using a service policy and the Per Client Embryonic Connections option, however i'm not certain of the interpretation of the word "Client" in this case or which way round to do the service policy.

ie Outside class or inside class?

Any examples or advice would be gratefully received.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
coto.fusionet Thu, 09/16/2010 - 07:31

Used to be done with the NAT/STATIC commands where you can set the limit for the connections to a particular server.

Now, cisco recommends to use the MPF (create a class-map, policy-map, service-policy).

Federico.

mirober2 Thu, 09/16/2010 - 07:42

Hi Mike,

Here is an example for what Federico described. Assume you have a web server at 10.1.1.1 on the inside translated to 1.1.1.1 on the outside and you want to limit clients (whoever initates the connection) to 10 simultaneous connections to the server:

access-list conn-limit-acl permit tcp any host 1.1.1.1 eq www

!

class-map conn-limit-class

  match access-list conn-limit-acl

!

policy-map conn-limit-policy

  class conn-limit-class

     set connection per-client-max 10

!

service-policy conn-limit-policy outside

You can also use 'set connection per-client-embryonic-max' to limit the amount of half-open connections that are allowed. This will help to prevent SYN flood attacks. The 'conn-max' and 'embryonic-conn-max' can be used to limit the total number of connections and half-open connections to the server as well.

Hope that helps.

-Mike

praprama Thu, 09/16/2010 - 07:47

Hey,

Here's the command details about the command you are referring to:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045

If you want to restrict the maximum number of conntions to the server and it does not matter to you how many connections one particular client makes, then you will just use "set connection conn-max n".

If you also want to restrict the number of connections made by each client, then you will use the command "set connection per-client-max n".

We also have settings for embryonic (half open) connections which are mainly to avoid DOS attacks (using TCP intercepts).

The term client refers to the particular host that will be initiating the TCP conection to the server, that is, the host that will be trying to connect to the server. The same is mentionedin the link above as well.

Let me know if this helps!!

Regards,

Prapanch

mikedelafield Thu, 09/16/2010 - 07:54

but is "set connection conn-max n" the total number of connections or the total number of connections per second?

also it looks like this is an outside class

praprama Thu, 09/16/2010 - 07:58

Well that is the maximum number of connections possible totally at any point of time and not over a period of time like a second. Are you looking at limiting the number of connections per second?

It can be applied on the outside interface or globally as needed.

Regards,

Prapanch

mikedelafield Thu, 09/16/2010 - 08:06

One of our systems has a habit of disconnecting its clients and upon restart we receive a massive amount of connections caused by re-connecting clients over a short period of time and this then has the knock-on effect of overloading the target server.

What we would like to do is stagger or slow down these connections so they don't all connect at once.

Overall the connections are legitimate as the clients do need to re-connected so its not that we want to limit the total mumber

Instead we would perhaps like to limit number that are connecting per second?

Or is there some other or better way to achieve this?

praprama Thu, 09/16/2010 - 08:20

I get where you are coming from. Well, even if we stup the maximum connection settings, the connections are not really going to be denied instead the ASA is going to use SYN cookies or TCP intercepts to confirm that the client trying to connect is indeed a legitimate host and not part of a DOS attack. So, if those connections are going to be legitimate, the connections are still going to be forwarded to the server in your network which will end up overloading it upon a reload.

I can not really think of a way of doing this. The ASA does not have a way of doing this, at least that i am aware of.

Regards,

Prapanch

stefan.radovanovici Fri, 05/17/2013 - 02:36

Hello Prapanch,

What about if the connections are to be terminated by the ASA itself ? I.e. what hapens if the ASA suddenly receives 2000 legitimate incoming VPN Connections (ISAKMP, basically) within a very short amount of time (within 10 seconds or less) ? Assuming the ASA itself is licensed for that amount (for example the 5540 can have a max of 5000 IPsec peers), will the ASA be overloaded and be basicalled DOS'ed ?

Regards,

Stefan

Actions

Login or Register to take actions

This Discussion

Posted September 16, 2010 at 7:16 AM
Stats:
Replies:8 Avg. Rating:
Views:2267 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446