cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3579
Views
1
Helpful
7
Replies

Mitigating syn attack on asa 5520

power.srvi
Level 1
Level 1

hi,

im using a cisco 5520 with 8.4, i try to test my appliance with a syn attack on my published server behind my asa on port 80 and this really really put out of the game my firewall.

i used hping security test tool with this commaband .hping -i u1 -S -p 80

So can someone tell me how toprevent this attacks on my firewall.

regards

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Power,

How to prevent a SYN attack on an ASA:

I would recommend to use the maximum amount of embryonic connections and the  Time-out for the embryonic connections, this can be configured using the MPF

I am going to use the next example provided by CISCO to show you how it is configured:

ciscoasa(config)#class-map tcp_syn

ciscoasa(config-cmap)#match port tcp eq 80

ciscoasa(config-cmap)#exit

ciscoasa(config)#policy-map tcpmap

ciscoasa(config-pmap)#class tcp_syn

ciscoasa(config-pmap-c)#set connection conn-max 100

ciscoasa(config-pmap-c)#set connection embryonic-conn-max 200

ciscoasa(config-pmap-c)#set connection per-client-embryonic-max 10

ciscoasa(config-pmap-c)#set connection timeout embryonic 0:0:45

ciscoasa(config-pmap-c)#exit

ciscoasa(config-pmap)#exit

ciscoasa(config)#service-policy tcpmap global

Configured this, give it a try and see how it works.

Regards,

Julio

DO rate all the helpful posts!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

hi jcar

i tryed this exemple and when i test the security usind this syn flood attack the cpu of the asa 5520 overload and use 100% of his capabilities!!!

the published websites becaume down and vpn unstables.

regards

Hello,

What version are you running?? That should not happened.

Please read the following link, the one I used to provide you the information.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

hello,

im using a cisco 5520 running  8.4.1 firmware and asdm 6.4

i use this documents before i post a help on the cisco forum !!!

regards

Hello,

So next time would be good to know all the procesures you have done before posting the question, this would make us help you on a better way and so much faster!!!!

Please provide the running configuration with the MPF setup...

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

hi,

this a copy paste of my asa 5520, i cut off the vpn and other unecessary informations

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address xxxxxxxxxxx  

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

<--- More --->

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

security-level 0

no ip address

!

interface Redundant1

member-interface GigabitEthernet0/1

member-interface GigabitEthernet0/2

no nameif

security-level 50

no ip address

!

interface Redundant1.3

vlan 3

nameif inside

security-level 50

ip address xxxxxxxxxxxxxxxxxx

!

interface Redundant1.x

vlan 5

nameif DMZ

security-level 49

ip address xxxxxxxxxxxxxxxxxxxxxxxxx

boot config disk0:/run-cfg-16-03-12

ftp mode passive

clock timezone gmt+1 1

dns domain-lookup outside

dns server-group DefaultDNS

name-server xxxxxxxxxxxxx

domain-name xxxxxxx

dns server-group Gcc-DNS

name-server xxxxxxxxxxxxxxxx

domain-name xxxxxxxxxxxxxxx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

!

pager lines 24

logging enable

logging list auth level emergencies class auth

logging trap warnings

logging history warnings

logging asdm debugging

logging mail auth

logging host inside xxxxxxxxxx

logging permit-hostdown

flow-export destination inside xxxxxxxxxxxx 9996

flow-export delay flow-create 10

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface DMZ

ip audit name attackdrop attack action drop

ip audit interface outside attackdrop

ip audit interface DMZ attackdrop

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

asdm history enable

arp timeout 14400

access-group OUTSIDE_IN_ACL in interface outside

access-group inside_access_in_2 in interface inside control-plane

access-group inside_access_in_1 in interface inside

<--- More --->

route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxxx 1

timeout xlate 3:00:00

timeout conn 4:00:00 half-closed 0:05:00 udp 0:01:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

class-map tcp_syn

match port tcp eq www

class-map inside-class

match dscp ef

class-map inside-class1

match port udp eq sip

policy-map tcpmap

class tcp_syn

  set connection conn-max 100 embryonic-conn-max 200 per-client-max 5 per-client-embryonic-max 10

  set connection timeout embryonic 0:00:05 half-closed 0:05:00 idle 2:00:00

Power I have the same problem.

How do you resolve that?

Thanks in advance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: