Solved

Setting an SMTP connection / IP threshold in ASA and blocking non-complying traffic

Posted on 2006-10-25
7
319 Views
Last Modified: 2010-05-18
Hello
I have a 2620 XM connected to an ASA5510 firewall. the ASA has 3 interfaces, one for connecting to the 2620XM (for internet connection.) 1 for DMZ and 1 for the internal network.
I have a mail server behind the DMZ that has SMTP ports open to the public internet.
On some days, I get 150.000 + SMTP connections that are trying to send spam / relay through my server. My anti-spam settings on my mail server detect this and bounce the emails, but the sheer number of connection attempts etc. are a heav load on my server. Is there a way I can set up my ASA but or my 2620XM to monitor connections on a per-ip basis and prevent more than say 25 connections per minute per ip and block the offenders? I understand that I need to set something like a policy for this. Please help ,thanks.
0
Comment
Question by:eggster34
  • 3
  • 3
7 Comments
 
LVL 5

Expert Comment

by:MarkusKolbeck
Comment Utility
what kind of mail server do you use? Maybe you can configure your policy there?

ATB
Markus
0
 

Author Comment

by:eggster34
Comment Utility
it's merak server. I don't want the traffic to reach the server, though, I'd like to cut it on the perimeter without reaching the dmz.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
Comment Utility
You can probably try the max connection limit with the tcp intercept for this server.

Check out this link;

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K18407732

In there, the '0' is what you want to modify.

Cheers,
Rajesh
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:eggster34
Comment Utility
What value do you think I should set this to?
If the attacker establishes 30 connections and the limit is 30 , can other clients reach the server at all?
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
This should be a trial and error eggster depends on your load on the server. Also 30 would be much lesser I believe.

Cheers,
Rajesh
0
 

Author Comment

by:eggster34
Comment Utility
Any other way to do this? Can I get an IDS sensor for my ASA box that would do something like this?
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
hmm. Look for the SMTP signatures. I will check as well online (I don't have access to one though)

Cheers,
Rajesh
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now