Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

em_limit in static command

How does em_limit work in Pix. The value we specify in static command is for per source address or is it for combine of all the source address trying to connect.

2 REPLIES
New Member

Re: em_limit in static command

It is total number of embryonic connections ie all source address.

-Jonathan

New Member

Re: em_limit in static command

Hi Jonathan

Thanks for the quick reply!

Sorry to be pedantic about this..... (I Just have to be 100% sure).

You said "It is total number of embryonic connections ie all source address. " I'm not sure how to read this statement.

Please allow me one more question based on the following scenario:

We have a full C-Class sitting behind the pix. There are several servers behind the pix (A, B,C, D etc) and they all have static (public) IP addresses (no NAT). If a hacker tries to syn-flood-attack server A and B what happens if we have a em_limit of 100 (no limit on max tcp connections)?

a. The pix detects 60 open connections to server A from source ip address "hacker" (xxxx.xxx.xxx.xxx). The pix detects 40 open connections to server B from hacker. The pix then drops all new connections to server A and B from hacker until there are less than 100 open connections (A and B combined)..

New connections to server C and D... will be allowed.

b. Same scenario as in a. but the pix will allow another 40 connections to server A and another 60 connections to server B.

New connections to server C and D... will be allowed.

c.Same scenario as in a. but the pix will drop all packets to any of the servers A, B, C, D... until the total combined active connections to all servers is below 100. (New connections to server C, D... etc will be dropped because server A and B have used all connections)

The basic question behind this is the value of em_limit. This is a global setting. What we try to avoid is that servers C, D, etc are not getting any connections just because server A and B get attacked.

The perfect pix behaviour would be to limit the hacker (source-ip) to a maximum of 100 connections (no matter which destination server).

What is the behaviour of the pix? a. b. or c? Please don't tell me its c.

Looking forward to your reply again!

104
Views
0
Helpful
2
Replies
CreatePlease to create content