Cisco ASA5510 - Configuring Connection Limits and Timeout for Preventing DDoS

My public facing DNS were being syn flooded this morning.  I configured a service policy rule on my ASA5510, and set the "Maximum Per Client Connections" to 20.  Its seems to be working, but I am still getting the following messages all the time coming from different outside addresses, targeting my two public facing DNS servers.

Feb 20 2014 08:17:25: %ASA-3-201013: Per-client connection limit exceeded 20/20 for output packet from 38.100.21.67/6573 to x.x.x.134/53 on interface dmz

Is there anything further I can do to help stop this?  I am eventually going to get an SSM for the ASA, but I don't have one yet.
LVL 4
denver218Asked:
Who is Participating?
 
asavenerCommented:
https://supportforums.cisco.com/thread/2013390

earlier versions of PIX (6.3.2 and below), you had to manually configure the DNS fixup to permit DNS packets with the longer length :

fixup protocol dns maximum-length 4096



in more recent versions, it would be covered by :

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096


or to increase the response size length:


policy-map global_policy
class inspection_default
inspect dns maximum-length 4096
0
 
Robert Sutton JrSenior Network ManagerCommented:
Aside from maybe having your provider block those specific ports upstream, then there really isn't anything you can do atm ... And since we here don't know anything about your net setup take a look at the link below.



http://www.rfc-editor.org/rfc/pdfrfc/rfc3704.txt.pdf
0
 
denver218Author Commented:
Thanks.  Its a public DNS server so I can't have my provider block udp/53.  They did work with me earlier, and I had them block it for a test, and of course the traffic stopped coming into my network, but my DNS servers then were not functional.
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
asavenerCommented:
Your DNS servers should be able to handle significantly more than 20 concurrent connections.
0
 
asavenerCommented:
Wait... SYN flooding?  Can you just block TCP/53 and allow UDP/53?  That should allow DNS requests to work while blocking the SYN packets.

TCP/53 is only used for zone transfers.
0
 
denver218Author Commented:
I used to only have UDP/53 open, but now I am being told that for a proper DNS setup TCP/53 should be open because any messages who size exceeds the DNS protocols original 512-byte limit has to use TCP.  I always thought TCP/53 was only for zone transfers, which is why I always closed that port.  Below is the document I've been referred to:

https://tools.ietf.org/html/rfc5966
0
 
asavenerCommented:
There's a configuration setting to increase the maximum size of the DNS packet.... Let me see if I can find it.
0
 
denver218Author Commented:
Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.