04-13-2012 09:10 AM - edited 03-11-2019 03:53 PM
hi,
im using a cisco 5520 with 8.4, i try to test my appliance with a syn attack on my published server behind my asa on port 80 and this really really put out of the game my firewall.
i used hping security test tool with this commaband .hping -i u1 -S -p 80
So can someone tell me how toprevent this attacks on my firewall.
regards
04-13-2012 03:30 PM
Hello Power,
How to prevent a SYN attack on an ASA:
I would recommend to use the maximum amount of embryonic connections and the Time-out for the embryonic connections, this can be configured using the MPF
I am going to use the next example provided by CISCO to show you how it is configured:
ciscoasa(config)#class-map tcp_syn
ciscoasa(config-cmap)#match port tcp eq 80
ciscoasa(config-cmap)#exit
ciscoasa(config)#policy-map tcpmap
ciscoasa(config-pmap)#class tcp_syn
ciscoasa(config-pmap-c)#set connection conn-max 100
ciscoasa(config-pmap-c)#set connection embryonic-conn-max 200
ciscoasa(config-pmap-c)#set connection per-client-embryonic-max 10
ciscoasa(config-pmap-c)#set connection timeout embryonic 0:0:45
ciscoasa(config-pmap-c)#exit
ciscoasa(config-pmap)#exit
ciscoasa(config)#service-policy tcpmap global
Configured this, give it a try and see how it works.
Regards,
Julio
DO rate all the helpful posts!!!
04-14-2012 03:48 AM
hi jcar
i tryed this exemple and when i test the security usind this syn flood attack the cpu of the asa 5520 overload and use 100% of his capabilities!!!
the published websites becaume down and vpn unstables.
regards
04-14-2012 11:26 AM
Hello,
What version are you running?? That should not happened.
Please read the following link, the one I used to provide you the information.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml
04-15-2012 10:10 AM
hello,
im using a cisco 5520 running 8.4.1 firmware and asdm 6.4
i use this documents before i post a help on the cisco forum !!!
regards
04-15-2012 11:21 AM
Hello,
So next time would be good to know all the procesures you have done before posting the question, this would make us help you on a better way and so much faster!!!!
Please provide the running configuration with the MPF setup...
04-16-2012 02:46 PM
hi,
this a copy paste of my asa 5520, i cut off the vpn and other unecessary informations
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xxxxxxxxxxx
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
<--- More --->
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
security-level 0
no ip address
!
interface Redundant1
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/2
no nameif
security-level 50
no ip address
!
interface Redundant1.3
vlan 3
nameif inside
security-level 50
ip address xxxxxxxxxxxxxxxxxx
!
interface Redundant1.x
vlan 5
nameif DMZ
security-level 49
ip address xxxxxxxxxxxxxxxxxxxxxxxxx
boot config disk0:/run-cfg-16-03-12
ftp mode passive
clock timezone gmt+1 1
dns domain-lookup outside
dns server-group DefaultDNS
name-server xxxxxxxxxxxxx
domain-name xxxxxxx
dns server-group Gcc-DNS
name-server xxxxxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
!
pager lines 24
logging enable
logging list auth level emergencies class auth
logging trap warnings
logging history warnings
logging asdm debugging
logging mail auth
logging host inside xxxxxxxxxx
logging permit-hostdown
flow-export destination inside xxxxxxxxxxxx 9996
flow-export delay flow-create 10
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
ip audit name attackdrop attack action drop
ip audit interface outside attackdrop
ip audit interface DMZ attackdrop
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
access-group OUTSIDE_IN_ACL in interface outside
access-group inside_access_in_2 in interface inside control-plane
access-group inside_access_in_1 in interface inside
<--- More --->
route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxxx 1
timeout xlate 3:00:00
timeout conn 4:00:00 half-closed 0:05:00 udp 0:01:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
class-map tcp_syn
match port tcp eq www
class-map inside-class
match dscp ef
class-map inside-class1
match port udp eq sip
policy-map tcpmap
class tcp_syn
set connection conn-max 100 embryonic-conn-max 200 per-client-max 5 per-client-embryonic-max 10
set connection timeout embryonic 0:00:05 half-closed 0:05:00 idle 2:00:00
06-18-2012 06:52 AM
Power I have the same problem.
How do you resolve that?
Thanks in advance.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: