Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

TCP Intercept feature

If I'm understanding the documentation correctly I need to set an embryonic limit on my static commands to enable syn attack blocking on my pix. However, I'm not clear on what is a reasonable embryonic limit. We have several servers open to various ports including ftp, www, smtp, and some oracle application ports. Most are light usage, nothing real heavy.

Any suggestions on what I should be setting my embryonic connection limits to?

Also, do I need to set a maximum connection limit as well?

Thanks in advance,

rls

1 ACCEPTED SOLUTION

Accepted Solutions

Re: TCP Intercept feature

Hi,

Well, the answer to your question is "it depends". Each server OS has an embryonic connection limit built in. That is, the max amount of embryonic connections that the OS itself can handle. Generally, we recommend setting the embryonic limit on the PIX to a number that is a little lower than what the OS can handle as the idea is to protect the server behind the PIX from a DOS attack. For instance, most Windows boxes have a limit of 128. In cases like this, setting the embryonic connection limit on the PIX to 120 or 115 would be sufficient. Maximum connections do not need to be set in conjunction with the econn setting but you can certainly set this as well if you would like. Again, this number should be set based on the max number of conns your server can handle. Hope this helps.

Scott

3 REPLIES

Re: TCP Intercept feature

Hi,

Well, the answer to your question is "it depends". Each server OS has an embryonic connection limit built in. That is, the max amount of embryonic connections that the OS itself can handle. Generally, we recommend setting the embryonic limit on the PIX to a number that is a little lower than what the OS can handle as the idea is to protect the server behind the PIX from a DOS attack. For instance, most Windows boxes have a limit of 128. In cases like this, setting the embryonic connection limit on the PIX to 120 or 115 would be sufficient. Maximum connections do not need to be set in conjunction with the econn setting but you can certainly set this as well if you would like. Again, this number should be set based on the max number of conns your server can handle. Hope this helps.

Scott

New Member

Re: TCP Intercept feature

That helps a lot, thanks Scott.

Do you happen to know the embryonic connection limit of Solaris 8?

Thanks again,

~rls

Re: TCP Intercept feature

Not a problem. I *believe* the default queue size in Solaris 8 is 1024 but this is tunable from what I can remember (been a while). Take a look here and see if this helps:

http://www.securityfocus.com/infocus/1385

Good luck.

Scott

127
Views
5
Helpful
3
Replies
CreatePlease to create content