Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18241
Views
0
Helpful
3
Replies

ASA DDoS / syn flood protection

c0ldshadow
Level 1
Level 1

‎06-30-2009 09:40 PM - edited ‎03-11-2019 08:49 AM

Hi, I am trying to prevent DDoS / SYN flood attacks on an ASA5505 (simplest version, DMZ restricted license). The ASA is in front of a Web server with approximately 2500 unique visits a day. only port 80 and 53tcp/udp are open

Once or twice a day I see a large amount of errors like:

%ASA-5-321001: Resource 'conns' limit of 10000 reached for system

Here is what I have done so far:

class-map CONNS-MAP

match any

policy-map CONNS-POLICY

class CONNS-MAP

set connection conn-max 3000 embryonic-conn-max 6000 per-client-max 500 per-client-embryonic-max 1000

set connection timeout embryonic 0:40:00 half-closed 0:20:00 tcp 2:00:00 dcd

!

service-policy CONNS-POLICY interface outside

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address myip 255.255.255.255

threat-detection scanning-threat shun except ip-address 4.2.2.2 255.255.255.255

threat-detection scanning-threat shun except ip-address 4.2.2.3 255.255.255.255

threat-detection scanning-threat shun except ip-address insideserverip 255.255.255.255

threat-detection scanning-threat shun duration 3600

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

Does this look good? Is there anything I should change / tweak / or add?

Please advise.

Thanks

Labels:
0 Helpful
3 Replies 3

abinjola
Cisco Employee
Cisco Employee

‎07-01-2009 12:34 AM

Yes looks good..but chances are you may hit

CSCsk18037 per-client connection feature not working

0 Helpful

Stuart Hare
Level 1
Level 1

‎07-01-2009 04:02 AM

Your using match any in your class map is this desirable? Are you just looking for ddos protection to your web svr?

You could create an access-list for any src to your web server on just those 80 and 53 ports, and match that in your class map, may reduce the amount of conns that are being inspected.

Also you could have done this simply by using a static nat cmds, max conn and max embryonic conns vlaues for that server.

Just depends on what you are trying to achieve.

HTH

Stu

0 Helpful

c0ldshadow
Level 1
Level 1
In response to Stuart Hare

‎07-01-2009 07:20 PM

I am running into a problem, lots of error message in the log like:

3 Jul 01 2009 18:04:30 201013 10.1.1.1 38417 192.5.6.32 53 Per-client connection limit exceeded 500/500 for output packet from 10.1.17.6/38417 to 192.5.6.32/53 on interface outside

4 Jul 01 2009 18:04:46 733100 [ Scanning] drop rate-1 exceeded. Current burst rate is 14 per second, max configured rate is 10; Current average rate is 24 per second, max configured rate is 5; Cumulative total count is 14695

3 Jul 01 2009 18:04:10 201013 10.1.1.1 51226 199.71.0.63 53 Per-client connection limit exceeded 500/500 for output packet from 10.1.17.6/51226 to 199.71.0.63/53 on interface outside

I removed per-client-max and set up CONNS-ACL to be:

access-list CONNS-ACL extended permit ip any host 10.1.1.1

My new config is as follows:

class-map CONNS-MAP

match access-list CONNS-ACL

policy-map CONNS-POLICY

class CONNS-MAP

set connection conn-max 3000 embryonic-conn-max 6000 per-client-embryonic-max 1000

set connection timeout embryonic 0:40:00 half-closed 0:20:00 tcp 2:00:00 dcd

service-policy CONNS-POLICY interface outside

should this fix the problem?

thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card