Solved

Setting an SMTP connection / IP threshold in ASA and blocking non-complying traffic

Posted on 2006-10-25
7
324 Views
Last Modified: 2010-05-18
Hello
I have a 2620 XM connected to an ASA5510 firewall. the ASA has 3 interfaces, one for connecting to the 2620XM (for internet connection.) 1 for DMZ and 1 for the internal network.
I have a mail server behind the DMZ that has SMTP ports open to the public internet.
On some days, I get 150.000 + SMTP connections that are trying to send spam / relay through my server. My anti-spam settings on my mail server detect this and bounce the emails, but the sheer number of connection attempts etc. are a heav load on my server. Is there a way I can set up my ASA but or my 2620XM to monitor connections on a per-ip basis and prevent more than say 25 connections per minute per ip and block the offenders? I understand that I need to set something like a policy for this. Please help ,thanks.
0
Comment
Question by:eggster34
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 5

Expert Comment

by:MarkusKolbeck
ID: 17809969
what kind of mail server do you use? Maybe you can configure your policy there?

ATB
Markus
0
 

Author Comment

by:eggster34
ID: 17812903
it's merak server. I don't want the traffic to reach the server, though, I'd like to cut it on the perimeter without reaching the dmz.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 17813328
You can probably try the max connection limit with the tcp intercept for this server.

Check out this link;

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K18407732

In there, the '0' is what you want to modify.

Cheers,
Rajesh
0
Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

 

Author Comment

by:eggster34
ID: 17815532
What value do you think I should set this to?
If the attacker establishes 30 connections and the limit is 30 , can other clients reach the server at all?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17817168
This should be a trial and error eggster depends on your load on the server. Also 30 would be much lesser I believe.

Cheers,
Rajesh
0
 

Author Comment

by:eggster34
ID: 17830928
Any other way to do this? Can I get an IDS sensor for my ASA box that would do something like this?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17831800
hmm. Look for the SMTP signatures. I will check as well online (I don't have access to one though)

Cheers,
Rajesh
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question