12-16-2003 09:47 AM - edited 03-09-2019 05:54 AM
If I'm understanding the documentation correctly I need to set an embryonic limit on my static commands to enable syn attack blocking on my pix. However, I'm not clear on what is a reasonable embryonic limit. We have several servers open to various ports including ftp, www, smtp, and some oracle application ports. Most are light usage, nothing real heavy.
Any suggestions on what I should be setting my embryonic connection limits to?
Also, do I need to set a maximum connection limit as well?
Thanks in advance,
rls
Solved! Go to Solution.
12-17-2003 09:19 AM
Hi,
Well, the answer to your question is "it depends". Each server OS has an embryonic connection limit built in. That is, the max amount of embryonic connections that the OS itself can handle. Generally, we recommend setting the embryonic limit on the PIX to a number that is a little lower than what the OS can handle as the idea is to protect the server behind the PIX from a DOS attack. For instance, most Windows boxes have a limit of 128. In cases like this, setting the embryonic connection limit on the PIX to 120 or 115 would be sufficient. Maximum connections do not need to be set in conjunction with the econn setting but you can certainly set this as well if you would like. Again, this number should be set based on the max number of conns your server can handle. Hope this helps.
Scott
12-17-2003 09:19 AM
Hi,
Well, the answer to your question is "it depends". Each server OS has an embryonic connection limit built in. That is, the max amount of embryonic connections that the OS itself can handle. Generally, we recommend setting the embryonic limit on the PIX to a number that is a little lower than what the OS can handle as the idea is to protect the server behind the PIX from a DOS attack. For instance, most Windows boxes have a limit of 128. In cases like this, setting the embryonic connection limit on the PIX to 120 or 115 would be sufficient. Maximum connections do not need to be set in conjunction with the econn setting but you can certainly set this as well if you would like. Again, this number should be set based on the max number of conns your server can handle. Hope this helps.
Scott
12-17-2003 09:50 AM
That helps a lot, thanks Scott.
Do you happen to know the embryonic connection limit of Solaris 8?
Thanks again,
~rls
12-17-2003 12:29 PM
Not a problem. I *believe* the default queue size in Solaris 8 is 1024 but this is tunable from what I can remember (been a while). Take a look here and see if this helps:
http://www.securityfocus.com/infocus/1385
Good luck.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide