Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
325
Views
5
Helpful
3
Replies

TCP Intercept feature

Go to solution
0rsnaric
Level 1
Level 1

‎12-16-2003 09:47 AM - edited ‎03-09-2019 05:54 AM

If I'm understanding the documentation correctly I need to set an embryonic limit on my static commands to enable syn attack blocking on my pix. However, I'm not clear on what is a reasonable embryonic limit. We have several servers open to various ports including ftp, www, smtp, and some oracle application ports. Most are light usage, nothing real heavy.

Any suggestions on what I should be setting my embryonic connection limits to?

Also, do I need to set a maximum connection limit as well?

Thanks in advance,

rls

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scoclayton
Level 7
Level 7

‎12-17-2003 09:19 AM

Hi,

Well, the answer to your question is "it depends". Each server OS has an embryonic connection limit built in. That is, the max amount of embryonic connections that the OS itself can handle. Generally, we recommend setting the embryonic limit on the PIX to a number that is a little lower than what the OS can handle as the idea is to protect the server behind the PIX from a DOS attack. For instance, most Windows boxes have a limit of 128. In cases like this, setting the embryonic connection limit on the PIX to 120 or 115 would be sufficient. Maximum connections do not need to be set in conjunction with the econn setting but you can certainly set this as well if you would like. Again, this number should be set based on the max number of conns your server can handle. Hope this helps.

Scott

View solution in original post

3 Replies 3

Go to solution
scoclayton
Level 7
Level 7

‎12-17-2003 09:19 AM

Hi,

Well, the answer to your question is "it depends". Each server OS has an embryonic connection limit built in. That is, the max amount of embryonic connections that the OS itself can handle. Generally, we recommend setting the embryonic limit on the PIX to a number that is a little lower than what the OS can handle as the idea is to protect the server behind the PIX from a DOS attack. For instance, most Windows boxes have a limit of 128. In cases like this, setting the embryonic connection limit on the PIX to 120 or 115 would be sufficient. Maximum connections do not need to be set in conjunction with the econn setting but you can certainly set this as well if you would like. Again, this number should be set based on the max number of conns your server can handle. Hope this helps.

Scott

Go to solution
0rsnaric
Level 1
Level 1
In response to scoclayton

‎12-17-2003 09:50 AM

That helps a lot, thanks Scott.

Do you happen to know the embryonic connection limit of Solaris 8?

Thanks again,

~rls

0 Helpful

Go to solution
scoclayton
Level 7
Level 7
In response to 0rsnaric

‎12-17-2003 12:29 PM

Not a problem. I *believe* the default queue size in Solaris 8 is 1024 but this is tunable from what I can remember (been a while). Take a look here and see if this helps:

http://www.securityfocus.com/infocus/1385

Good luck.

Scott

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents