cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2381
Views
0
Helpful
3
Replies

dos-attack(more connections)

WEERAKOO69BA
Level 1
Level 1

                   Dear Friends,

One of the customer's ASA-5520 is getting disconect every 3-4 hours and found following outputs and errors.This ASA connetcs to MPLS(to acces remote branches) and ADLS(for internet)

Resource              Current         Peak          Limit                  Denied Context  

Syslogs [rate]           83             87470        N/A                       0 System

Conns                   35859        98666          280000                  0 System

Xlates                    266               919             N/A                       0 System

Hosts                     353               670             N/A                            0 System

Conns [rate]               29             409             N/A                       0 System

Inspects [rate]            11           57                  N/A                       0 System

Before disconnection happen ,I am getting following error

"SA-5-321001: Resource 'conns' limit of 280000 reached for system"

This is looks like a dos attack(pls correct me if I am wrong)I have done the follwoing steps to control the situation.

policy-map limit

class limit

  set connection conn-max 1 embryonic-conn-max 1 per-client-max 1

  set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00 dcd 0:00:01

Now my observation is

----------------------------------

When lookat Conns  "ciurrent" figurres keep increasing but "peak" figures doensn't increase  until "conns reach to 98666.

I would appriciate if anyone can tell me how to resolve this issue.

Is there any way to stop the increasing of "conns" figures??

many thanks

3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

You are running multiple-context so when you do that you are sharing the entire resources between all of the contexts.

In this case you assign X amount of connections to that context and you have reach the limit,

So you could configure the ASA to provide more connections to that ASA (only if it's expected to receive that high amount of connections).

What you have done is basically restrict the amount of connections for that context (on this one you are allowing only one connection at the time, Is that what you are looking for? Cause it sounds really restrictive.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you verymuch for your reply.This is given me a bit releif.

Frankly I don't have any contexts.I do need to control the connection somehow because it will reach to the max and freeze.

1)How can I overcome this issue without resctricting the connection?

2)by restriction the connection,will it badly afect to the performance?

3)how to configure more connection to the ASA.If this allow,will it vulnearable to the DOS attack??

Thanks

1)Well there is nothing you can do to avoid DDoS attacks unless you determine which the offendings IP addresses are..

2)No, the opposite actually You will be increasing the performance as the ASA will not get overloaded.

3)You will need to determine what's a valid number of connections per hosts (Let's say you have an HTTP server on the internal subnet, you might want to be less restrictive with that server than with the internal laptops.)

After learning as much information about the problem you can go to the ISP side and let them know you are being attacked so the traffic does not even get into your link and drop your bandwith

Let me know what you think

Man, remember to always rate my posts

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: