04-13-2012 09:10 AM - edited 03-11-2019 03:53 PM
hi,
im using a cisco 5520 with 8.4, i try to test my appliance with a syn attack on my published server behind my asa on port 80 and this really really put out of the game my firewall.
i used hping security test tool with this commaband .hping -i u1 -S -p 80
So can someone tell me how toprevent this attacks on my firewall.
regards
04-13-2012 03:30 PM
Hello Power,
How to prevent a SYN attack on an ASA:
I would recommend to use the maximum amount of embryonic connections and the Time-out for the embryonic connections, this can be configured using the MPF
I am going to use the next example provided by CISCO to show you how it is configured:
ciscoasa(config)#class-map tcp_syn
ciscoasa(config-cmap)#match port tcp eq 80
ciscoasa(config-cmap)#exit
ciscoasa(config)#policy-map tcpmap
ciscoasa(config-pmap)#class tcp_syn
ciscoasa(config-pmap-c)#set connection conn-max 100
ciscoasa(config-pmap-c)#set connection embryonic-conn-max 200
ciscoasa(config-pmap-c)#set connection per-client-embryonic-max 10
ciscoasa(config-pmap-c)#set connection timeout embryonic 0:0:45
ciscoasa(config-pmap-c)#exit
ciscoasa(config-pmap)#exit
ciscoasa(config)#service-policy tcpmap global
Configured this, give it a try and see how it works.
Regards,
Julio
DO rate all the helpful posts!!!
04-14-2012 03:48 AM
hi jcar
i tryed this exemple and when i test the security usind this syn flood attack the cpu of the asa 5520 overload and use 100% of his capabilities!!!
the published websites becaume down and vpn unstables.
regards
04-14-2012 11:26 AM
Hello,
What version are you running?? That should not happened.
Please read the following link, the one I used to provide you the information.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml
04-15-2012 10:10 AM
hello,
im using a cisco 5520 running 8.4.1 firmware and asdm 6.4
i use this documents before i post a help on the cisco forum !!!
regards
04-15-2012 11:21 AM
Hello,
So next time would be good to know all the procesures you have done before posting the question, this would make us help you on a better way and so much faster!!!!
Please provide the running configuration with the MPF setup...
04-16-2012 02:46 PM
hi,
this a copy paste of my asa 5520, i cut off the vpn and other unecessary informations
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xxxxxxxxxxx
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
<--- More --->
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
security-level 0
no ip address
!
interface Redundant1
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/2
no nameif
security-level 50
no ip address
!
interface Redundant1.3
vlan 3
nameif inside
security-level 50
ip address xxxxxxxxxxxxxxxxxx
!
interface Redundant1.x
vlan 5
nameif DMZ
security-level 49
ip address xxxxxxxxxxxxxxxxxxxxxxxxx
boot config disk0:/run-cfg-16-03-12
ftp mode passive
clock timezone gmt+1 1
dns domain-lookup outside
dns server-group DefaultDNS
name-server xxxxxxxxxxxxx
domain-name xxxxxxx
dns server-group Gcc-DNS
name-server xxxxxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
!
pager lines 24
logging enable
logging list auth level emergencies class auth
logging trap warnings
logging history warnings
logging asdm debugging
logging mail auth
logging host inside xxxxxxxxxx
logging permit-hostdown
flow-export destination inside xxxxxxxxxxxx 9996
flow-export delay flow-create 10
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
ip audit name attackdrop attack action drop
ip audit interface outside attackdrop
ip audit interface DMZ attackdrop
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
access-group OUTSIDE_IN_ACL in interface outside
access-group inside_access_in_2 in interface inside control-plane
access-group inside_access_in_1 in interface inside
<--- More --->
route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxxx 1
timeout xlate 3:00:00
timeout conn 4:00:00 half-closed 0:05:00 udp 0:01:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
class-map tcp_syn
match port tcp eq www
class-map inside-class
match dscp ef
class-map inside-class1
match port udp eq sip
policy-map tcpmap
class tcp_syn
set connection conn-max 100 embryonic-conn-max 200 per-client-max 5 per-client-embryonic-max 10
set connection timeout embryonic 0:00:05 half-closed 0:05:00 idle 2:00:00
06-18-2012 06:52 AM
Power I have the same problem.
How do you resolve that?
Thanks in advance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide