Mitigating syn attack on asa 5520

Unanswered Question
Apr 13th, 2012

hi,

im using a cisco 5520 with 8.4, i try to test my appliance with a syn attack on my published server behind my asa on port 80 and this really really put out of the game my firewall.

i used hping security test tool with this commaband .hping -i u1 -S -p 80

So can someone tell me how toprevent this attacks on my firewall.

regards

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 1 (1 ratings)
Julio Carvaja Fri, 04/13/2012 - 15:30

Hello Power,

How to prevent a SYN attack on an ASA:

I would recommend to use the maximum amount of embryonic connections and the  Time-out for the embryonic connections, this can be configured using the MPF

I am going to use the next example provided by CISCO to show you how it is configured:

ciscoasa(config)#class-map tcp_syn

ciscoasa(config-cmap)#match port tcp eq 80

ciscoasa(config-cmap)#exit

ciscoasa(config)#policy-map tcpmap

ciscoasa(config-pmap)#class tcp_syn

ciscoasa(config-pmap-c)#set connection conn-max 100

ciscoasa(config-pmap-c)#set connection embryonic-conn-max 200

ciscoasa(config-pmap-c)#set connection per-client-embryonic-max 10

ciscoasa(config-pmap-c)#set connection timeout embryonic 0:0:45

ciscoasa(config-pmap-c)#exit

ciscoasa(config-pmap)#exit

ciscoasa(config)#service-policy tcpmap global

Configured this, give it a try and see how it works.

Regards,

Julio

DO rate all the helpful posts!!!

power.srvi Sat, 04/14/2012 - 03:48

hi jcar

i tryed this exemple and when i test the security usind this syn flood attack the cpu of the asa 5520 overload and use 100% of his capabilities!!!

the published websites becaume down and vpn unstables.

regards

power.srvi Sun, 04/15/2012 - 10:10

hello,

im using a cisco 5520 running  8.4.1 firmware and asdm 6.4

i use this documents before i post a help on the cisco forum !!!

regards

Julio Carvaja Sun, 04/15/2012 - 11:21

Hello,

So next time would be good to know all the procesures you have done before posting the question, this would make us help you on a better way and so much faster!!!!

Please provide the running configuration with the MPF setup...

power.srvi Mon, 04/16/2012 - 14:46

hi,

this a copy paste of my asa 5520, i cut off the vpn and other unecessary informations

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address xxxxxxxxxxx  

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

<--- More --->

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

security-level 0

no ip address

!

interface Redundant1

member-interface GigabitEthernet0/1

member-interface GigabitEthernet0/2

no nameif

security-level 50

no ip address

!

interface Redundant1.3

vlan 3

nameif inside

security-level 50

ip address xxxxxxxxxxxxxxxxxx

!

interface Redundant1.x

vlan 5

nameif DMZ

security-level 49

ip address xxxxxxxxxxxxxxxxxxxxxxxxx

boot config disk0:/run-cfg-16-03-12

ftp mode passive

clock timezone gmt+1 1

dns domain-lookup outside

dns server-group DefaultDNS

name-server xxxxxxxxxxxxx

domain-name xxxxxxx

dns server-group Gcc-DNS

name-server xxxxxxxxxxxxxxxx

domain-name xxxxxxxxxxxxxxx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

!

pager lines 24

logging enable

logging list auth level emergencies class auth

logging trap warnings

logging history warnings

logging asdm debugging

logging mail auth

logging host inside xxxxxxxxxx

logging permit-hostdown

flow-export destination inside xxxxxxxxxxxx 9996

flow-export delay flow-create 10

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface DMZ

ip audit name attackdrop attack action drop

ip audit interface outside attackdrop

ip audit interface DMZ attackdrop

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

asdm history enable

arp timeout 14400

access-group OUTSIDE_IN_ACL in interface outside

access-group inside_access_in_2 in interface inside control-plane

access-group inside_access_in_1 in interface inside

<--- More --->

route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxxx 1

timeout xlate 3:00:00

timeout conn 4:00:00 half-closed 0:05:00 udp 0:01:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

class-map tcp_syn

match port tcp eq www

class-map inside-class

match dscp ef

class-map inside-class1

match port udp eq sip

policy-map tcpmap

class tcp_syn

  set connection conn-max 100 embryonic-conn-max 200 per-client-max 5 per-client-embryonic-max 10

  set connection timeout embryonic 0:00:05 half-closed 0:05:00 idle 2:00:00

Actions

Login or Register to take actions

This Discussion

Posted April 13, 2012 at 9:10 AM
Stats:
Replies:7 Avg. Rating:1
Views:1286 Votes:1
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446