nabeel92
asked on
securing router from DOS attack on ASA Firewall
I have an ASA firewall that has an inside network and an outside interface that is connected to the internet ... I've some ports opened on the PIX firewall that are for the clients from the internet to access our certain DMZ servers ... rest, everything is blocked ... now when DOS attack occurs, the attacker on the Internet is gonna utilize my existing open ports through whatever utility, say for instance NMAP or PF. They're gonna flood those opened port with attacks at speed of 100 mbps .... Now, my question is this that is there a threshold level I can define (and from memory if i can rememeber, it used to be done through the static command on ASA but I've really forgotten how) that I can tell my ASA to accept a specific number of connections .... and beyond that dont accept any connections ?
Can someone please give me the command for it and its impact on live network ?
Can someone please give me the command for it and its impact on live network ?
ASKER
Thanks for the post.
but to ip address in you own publicly >> Sorry, I really didnt understand what you meant by this.
what you may want to research for DOS Mitigation is to be able to drop connection from the DOS source, after x amount of connection attempts >> Yes, thats exactly what am looking for on Cisco ASA. Infact, leave a particular source aside, I know my server on DMZ doesn't have more than 400 connections open at an instant. So if I can specify any source, then maybe i can prevent against a DDOS attack as well.
but to ip address in you own publicly >> Sorry, I really didnt understand what you meant by this.
what you may want to research for DOS Mitigation is to be able to drop connection from the DOS source, after x amount of connection attempts >> Yes, thats exactly what am looking for on Cisco ASA. Infact, leave a particular source aside, I know my server on DMZ doesn't have more than 400 connections open at an instant. So if I can specify any source, then maybe i can prevent against a DDOS attack as well.
try this -
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1505226
look at the max_conns and emb_lim parameters, max is the total working sessions and emb is the max number of conns in half open state, which often happens under attack conditions.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1505226
look at the max_conns and emb_lim parameters, max is the total working sessions and emb is the max number of conns in half open state, which often happens under attack conditions.
Yes,
DOS and DDOS attacks target ip addresses, not ports, it does not matter what port is used, even if it blocked or dropped, the number of requests are processed regardless
use tcp max_conns and udp max_conns in your acl rules to the interfaces desired
but remember,
any DOS attack, especially a DDOS, can take you down, regardless of any drop rules you have
It's all a matter of, who has the greater bandwidth and who has the greater computation power in the network devices used
DOS and DDOS attacks target ip addresses, not ports, it does not matter what port is used, even if it blocked or dropped, the number of requests are processed regardless
use tcp max_conns and udp max_conns in your acl rules to the interfaces desired
but remember,
any DOS attack, especially a DDOS, can take you down, regardless of any drop rules you have
It's all a matter of, who has the greater bandwidth and who has the greater computation power in the network devices used
ASKER
are you able to give me an exact command ?
access-list 1 line 16 extended permit udp any host 203.38.242.114 eq 4569
secondly, if we do that thru ACL, then how does that differ from the max-connections we use at the end of static command ... coz its the static command thru which we're basically allowing the conncetions from outside to the network .... Am just trying to understand the concept that how the ACL max_conn differs from static max_conns commands ...
If anybody can be kind enough to give me the commands, it will be much appreciated !
access-list 1 line 16 extended permit udp any host 203.38.242.114 eq 4569
secondly, if we do that thru ACL, then how does that differ from the max-connections we use at the end of static command ... coz its the static command thru which we're basically allowing the conncetions from outside to the network .... Am just trying to understand the concept that how the ACL max_conn differs from static max_conns commands ...
If anybody can be kind enough to give me the commands, it will be much appreciated !
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
DOS attacks arent focused on how many ports you have open, but to ip address in you own publicly
what you may want to research for DOS Mitigation is to be able to drop connection from the DOS source, after x amount of connection attempts
I have not done this on a Cisco, but is this what you are interested in?
Jfer