Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

securing router from DOS attack on ASA Firewall

Posted on 2009-07-09
6
Medium Priority
?
822 Views
Last Modified: 2012-05-07
I have an ASA firewall that has an inside network and an outside interface that is connected to the internet ... I've some ports opened on the PIX firewall that are for the clients from the internet to access our certain DMZ servers ... rest, everything is blocked ... now when DOS attack occurs, the attacker on the Internet is gonna utilize my existing open ports through whatever utility, say for instance NMAP or PF. They're gonna flood those opened port with attacks at speed of 100 mbps .... Now, my question is this that is there a threshold level I can define (and from memory if i can rememeber, it used to be done through the static command on ASA but I've really forgotten how) that I can tell my ASA to accept a specific number of connections .... and beyond that dont accept any connections ?
Can someone please give me the command for it and its impact on live network ?
0
Comment
Question by:nabeel92
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24812799
Hi,

DOS attacks arent focused on how many ports you have open, but to ip address in you own publicly

what you may want to research for DOS Mitigation is to be able to drop connection from the DOS source, after x amount of connection attempts

I have not done this on a Cisco, but is this what you are interested in?

Jfer

0
 

Author Comment

by:nabeel92
ID: 24812830
Thanks for the post.

but to ip address in you own publicly >> Sorry, I really didnt understand what you meant by this.

what you may want to research for DOS Mitigation is to be able to drop connection from the DOS source, after x amount of connection attempts >> Yes, thats exactly what am looking for on Cisco ASA. Infact, leave a particular source aside, I know my server on DMZ doesn't have more than 400 connections open at an instant. So if I can specify any source, then maybe i can prevent against a DDOS attack as well.
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24813927
try this -
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1505226
look at the max_conns and emb_lim parameters, max is the total working sessions and emb is the max number of conns in half open state, which often happens under attack conditions.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 9

Expert Comment

by:jfer0x01
ID: 24819604
Yes,

DOS and DDOS attacks target ip addresses, not ports, it does not matter what port is used, even if it blocked or dropped, the number of requests are processed regardless

use tcp max_conns and udp max_conns in your acl rules to the interfaces desired

but remember,

any DOS attack, especially a DDOS, can take you down, regardless of any drop rules you have

It's all a matter of, who has the greater bandwidth and who has the greater computation power in the network devices used

0
 

Author Comment

by:nabeel92
ID: 24819999
are you able to give me an exact command ?

access-list 1 line 16 extended permit udp any host 203.38.242.114 eq 4569

secondly, if we do that thru ACL, then how does that differ from the max-connections we use at the end of static command ... coz its the static command thru which we're basically allowing the conncetions from outside to the network .... Am just trying to understand the concept that how the ACL max_conn differs from static max_conns commands ...

If anybody can be kind enough to give me the commands, it will be much appreciated !
0
 
LVL 9

Accepted Solution

by:
jfer0x01 earned 2000 total points
ID: 24820030
ok,

a DOS makes and establishes various connect requests in order to function

all you are trying to do is limit the amount of connections, any one foreign ip address can make per given time

This could conflict with peer-2-peer apps

taken from

http://www.cisco-tips.com/configuring-connection-limits-on-cisco-asa-firewalls-protect-from-dos/

STEP1: Identify the traffic to apply connection limits using a class map

ASA(config)# access list CONNS-ACL extended permit ip any 10.1.1.1 255.255.255.255
ASA(config)# class-map CONNS-MAP
ASA(config-cmap)# match access-list CONNS-ACL

STEP2: Add a policy map to set the actions to take on the class map traffic

ASA(config)# policy-map CONNS-POLICY
ASA(config-pmap)# class CONNS-MAP
! The following sets connection number limits
ASA(config-pmap-c)# set connection {[conn-max n] [embryonic-conn-max n]
[per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}

where the conn-max n argument sets the maximum number of simultaneous TCP and/or UDP connections that are allowed, between 0 and 65535.

The embryonic-conn-max n argument sets the maximum number of simultaneous embryonic connections allowed, between 0 and 65535.

The per-client-embryonic-max n argument sets the maximum number of simultaneous embryonic connections allowed per client, between 0 and 65535.

The per-client-max n argument sets the maximum number of simultaneous connections allowed per client, between 0 and 65535.

! The following sets connection timeouts
ASA(config-pmap-c)# set connection timeout {[embryonic hh:mm:ss] {tcp hh:mm:ss
[reset]] [half-closed hh:mm:ss] [dcd hh:mm:ss [max_retries]]}

STEP3: Apply the Policy on one or more interfaces or Globaly

ASA(config)# service-policy CONNS-POLICY {global | interface interface_name}


Hope this helps

Jfer
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question