Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

How to establish a baseline for policy/class map for SYN attack mitigation?

All-

I would like to use a policy map to mitigate possible SYN attacks on a PIX 525 running 8.0(3)

I've read a number of sources as well as a Cisco wiki entry and cisco doc:

http://supportwiki.cisco.com/ViewWiki/index.php/ASA/PIX_7.x_and_Later:_Mitigating_the_Network_Attacks

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

My question isn't so much *how* to do it, but how to establish a baseline. My plan is to apply this globally and not worry about connection settings for specific hosts behind the pix. In other words I want to make sure the values for maximum connections, embryonic, etc, are set higher than the peaks we might see during normal operations (perhaps arbitrarily double/triple them). Many of the hosts behind the pix are web servers so advice on how I might adjust timeouts would be helpful as well.

Can someone tell me how I might best determine the baselines for my network for the settings under "set connection <attribute> <value>":

set connection conn-max <value>

set connection embryonic-conn-max <value>

set connection per-client-embryonic-max <value>

set connection per-client-max <value>

set connection random-sequence-number enable

set connection timeout embryonic <value>

set connection timeout half-closed <value>

set connection timeout tcp <value>

(See the config snippet at the bottom)

I've run a "sh conn detail" and I'm assuming that I can take the information for the TCP connections (example):

TCP Interface1:1.1.1.1/59222 Interface3:2.2.2.2/80 flags UIOB

TCP Interface1:4.4.4.4/25 Interface2:5.5.5.5/1474 flags saA

<snip>

...and then after taking multiple samples over the course of a week or so use the connection flags to determine what values I should apply to the "set connection" attributes correct? If does someone have a good idea on how to accomplish this? Does the pix maintain these counts somewhere? I ran a query in sql to get the current counts of distinct flags offline.

3912 in use, 5365 most used

3785 UIOB

136 UIO

80 UfFRIOB

56 UFRIOB

46 UFRIO

34 UfFRIO

17 UfFRI

17 UB

15 U

14 aB

13 saA

11 UFIOB

7 UIB

5 UFIO

4 Uf

3 UFOB

1 UOB

1 UfB

1 UFRIB

Here is an example taken from the Cisco Wiki. It appears the values below would be much lower than I need:

pix525(config)#class-map tcp_syn

pix525(config-cmap)#match port tcp eq 80

pix525(config-cmap)#exit

pix525(config)#policy-map tcpmap

pix525(config-pmap)#class tcp_syn

pix525(config-pmap-c)#set connection conn-max 100

pix525(config-pmap-c)#set connection embryonic-conn-max 200

pix525(config-pmap-c)#set connection per-client-embryonic-max 10

pix525(config-pmap-c)#set connection per-client-max 5

pix525(config-pmap-c)#set connection random-sequence-number enable

pix525(config-pmap-c)#set connection timeout embryonic 0:0:45

pix525(config-pmap-c)#set connection timeout half-closed 0:25:0

pix525(config-pmap-c)#set connection timeout tcp 2:0:0

pix525(config-pmap-c)#exit

pix525(config-pmap)#exit

pix525(config)#service-policy tcpmap global

Also, how does the threat detection built into the PIX work compared to using the policy map above? Does it work in conjunction by using these values as its baseline for threat detection or are the settings completely independent? It seems like the settings for threat detection cross over a bit with the policy map connection settings for things like connection limits, etc.

Hutch

704
Views
0
Helpful
0
Replies
CreatePlease to create content