Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure TCP intercept or block denial of service (DoS) attacks on the PIX Firewall

What is Denial of Service (DOS)?


Denial of service (DoS) usually refers to an attack that attempts to make a computer resource unavailable to the users by flooding the network or server with requests and data. When there is DOS the end users are not ab;e to use their application like email and other network resources.

There is one more form of DoS which is known as Distributed Denial of Service (DDoS).


Core issue

Protect internal servers from a denial-of-service (DoS) attack.

Resolution

Starting with PIX Software version 5.2, the TCP Intercept feature can help protect internal servers from DoS attacks. This feature allows the user to configure the maximum number of connections allowed to an internal server and the maximum number of embryonic connections (ones that have not completed the TCP three-way handshake) to a server.

If the embryonic connection limit is reached, then the PIX responds to every SYN packet sent to the server with a SYN+ACK, and does not pass the SYN packet to the internal server.

If the external device responds with an ACK packet, then the PIX knows it is a valid request (and not part of a SYN attack). The PIX then establishes a connection with the server and joins the connections together. If the PIX does not get an ACK back from the server, it aggressively times out that embryonic connection.

The Max Connection option can also be set. Once this threshold is reached, the PIX will not allow any new connections to the server until the active connections drop below this number.

The syntax for this feature is shown below.

static [(prenat_interface, postnat_interface)] {mapped_address|interface} real_address [dns]
[netmask mask] [norandomseq] [connection_limit [em_limit]]

Example

static (inside, outside) 192.168.1.45 10.1.1.45 netmask 255.255.255.255 0 120

In the above example, the embryonic limit is set to 120 and there is no Max Connection limit set. Most Windows platforms allow a maximum of 128 embryonic connections, so when setting the embryonic limit on the static, use a value less than the maximum embryonic limit allowed by the server operating system.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 03:36 PM
Updated by:
 
Labels (1)