Does anyone know the best way to limit the number of incoming new tcp connections to a server through a Cisco ASA Firewall.
I am guessing it is using a service policy and the Per Client Embryonic Connections option, however i'm not certain of the interpretation of the word "Client" in this case or which way round to do the service policy.
ie Outside class or inside class?
Any examples or advice would be gratefully received.
Here is an example for what Federico described. Assume you have a web server at 10.1.1.1 on the inside translated to 126.96.36.199 on the outside and you want to limit clients (whoever initates the connection) to 10 simultaneous connections to the server:
access-list conn-limit-acl permit tcp any host 188.8.131.52 eq www
match access-list conn-limit-acl
set connection per-client-max 10
service-policy conn-limit-policy outside
You can also use 'set connection per-client-embryonic-max' to limit the amount of half-open connections that are allowed. This will help to prevent SYN flood attacks. The 'conn-max' and 'embryonic-conn-max' can be used to limit the total number of connections and half-open connections to the server as well.
If you want to restrict the maximum number of conntions to the server and it does not matter to you how many connections one particular client makes, then you will just use "set connection conn-max n".
If you also want to restrict the number of connections made by each client, then you will use the command "set connection per-client-max n".
We also have settings for embryonic (half open) connections which are mainly to avoid DOS attacks (using TCP intercepts).
The term client refers to the particular host that will be initiating the TCP conection to the server, that is, the host that will be trying to connect to the server. The same is mentionedin the link above as well.
One of our systems has a habit of disconnecting its clients and upon restart we receive a massive amount of connections caused by re-connecting clients over a short period of time and this then has the knock-on effect of overloading the target server.
What we would like to do is stagger or slow down these connections so they don't all connect at once.
Overall the connections are legitimate as the clients do need to re-connected so its not that we want to limit the total mumber
Instead we would perhaps like to limit number that are connecting per second?
Or is there some other or better way to achieve this?
I get where you are coming from. Well, even if we stup the maximum connection settings, the connections are not really going to be denied instead the ASA is going to use SYN cookies or TCP intercepts to confirm that the client trying to connect is indeed a legitimate host and not part of a DOS attack. So, if those connections are going to be legitimate, the connections are still going to be forwarded to the server in your network which will end up overloading it upon a reload.
I can not really think of a way of doing this. The ASA does not have a way of doing this, at least that i am aware of.
What about if the connections are to be terminated by the ASA itself ? I.e. what hapens if the ASA suddenly receives 2000 legitimate incoming VPN Connections (ISAKMP, basically) within a very short amount of time (within 10 seconds or less) ? Assuming the ASA itself is licensed for that amount (for example the 5540 can have a max of 5000 IPsec peers), will the ASA be overloaded and be basicalled DOS'ed ?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...