Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Controlling SYN flooding attack

We have a Cisco PIX 515E with pix ver. 6.3(4). We are receiving continuous SYN packets for one specific server. Can we control this attack by PIX 515E appliance. Pl advise how to do this if possible by PIX 515E.

Thanks in advance.

Regards,

Raghavan

5 REPLIES
New Member

Re: Controlling SYN flooding attack

Hi

Well since to my knowledge you cant use the tcp normalization in 6.3 version so you pretty much are left to use the pix?s ids function

try this:

ip audit name PIX-IDS attack action reset

ip audit interface outside PIX-IDS

ip audit attack action reset

Note that you might need to disable som signatures depending on you network you can do that with this command:

ip audit signature disable

Look up the signatures here:

http://www.cisco.com/en/US/products/products_applied_intelligence_response09186a00808b4d46.html

Hope this help you if you use 7.x version let me know then i can help you with a better config for normalisation of the tcp synflood

Regards//Michel

New Member

Re: Controlling SYN flooding attack

I thought the Pix only supported a limited set of IDS signatures and syn attacks wasn't one of them:

PIX# sh ip audit count

Signature Global

1000 I Bad IP Options List 0

1001 I Record Packet Route 0

1002 I Timestamp 0

1003 I Provide s,c,h,tcc 0

1004 I Loose Source Route 0

1005 I SATNET ID 0

1006 I Strict Source Route 0

1100 A IP Fragment Attack 0

1102 A Impossible IP Packet 0

1103 A IP Teardrop 0

2000 I ICMP Echo Reply 0

2001 I ICMP Unreachable 0

2002 I ICMP Source Quench 0

2003 I ICMP Redirect 0

2004 I ICMP Echo Request 0

2005 I ICMP Time Exceed 0

2006 I ICMP Parameter Problem 0

2007 I ICMP Time Request 0

2008 I ICMP Time Reply 0

2009 I ICMP Info Request 0

2010 I ICMP Info Reply 0

2011 I ICMP Address Mask Request 0

2012 I ICMP Address Mask Reply 0

2150 A Fragmented ICMP 0

2151 A Large ICMP 0

2154 A Ping of Death 0

3040 A TCP No Flags 0

3041 A TCP SYN & FIN Flags Only 0

3042 A TCP FIN Flag Only 0

3153 A FTP Improper Address 0

3154 A FTP Improper Port 0

4050 A Bomb 0

4051 A Snork 0

4052 A Chargen 0

6050 I DNS Host Info 0

6051 I DNS Zone Xfer 0

6052 I DNS Zone Xfer High Port 0

6053 I DNS All Records 0

6100 I RPC Port Registration 0

6101 I RPC Port Unregistration 0

6102 I RPC Dump 0

6103 A Proxied RPC 0

6150 I ypserv Portmap Request 0

6151 I ypbind Portmap Request 0

6152 I yppasswdd Portmap Request 0

6153 I ypupdated Portmap Request 0

6154 I ypxfrd Portmap Request 0

6155 I mountd Portmap Request 0

6175 I rexd Portmap Request 0

6180 I rexd Attempt 0

6190 A statd Buffer Overflow 0

Signature 3050 on the IPS is the signature for SYN attacks, but this is clearly not listed above.

New Member

Re: Controlling SYN flooding attack

:)

Oupps correct it supports only a limited set of signatures i took it for granted that syn attacs was one of them

I will se if i can find something out for you ;)

Regards//Michel

New Member

Re: Controlling SYN flooding attack

What you can do to "conserve" the host being attacked is using the embryonic connection options in the static command.

You probably have a static configured for that host.

Check the static command in the manual:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694

New Member

Re: Controlling SYN flooding attack

Didn?t think of that one! :)

Also you can limit the embryonic connections in the nat command!

Example to limit embryonic sessions to 50:

nat (inside) 1 access-list Nat-List 0 50

on the static command:

static (inside,outside) xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy 0 50

576
Views
0
Helpful
5
Replies
CreatePlease to create content