[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Cisco ASA5510 - Configuring Connection Limits and Timeout for Preventing DDoS

Posted on 2014-02-20
8
Medium Priority
?
1,179 Views
Last Modified: 2014-03-12
My public facing DNS were being syn flooded this morning.  I configured a service policy rule on my ASA5510, and set the "Maximum Per Client Connections" to 20.  Its seems to be working, but I am still getting the following messages all the time coming from different outside addresses, targeting my two public facing DNS servers.

Feb 20 2014 08:17:25: %ASA-3-201013: Per-client connection limit exceeded 20/20 for output packet from 38.100.21.67/6573 to x.x.x.134/53 on interface dmz

Is there anything further I can do to help stop this?  I am eventually going to get an SSM for the ASA, but I don't have one yet.
0
Comment
Question by:denver218
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 39873389
Aside from maybe having your provider block those specific ports upstream, then there really isn't anything you can do atm ... And since we here don't know anything about your net setup take a look at the link below.



http://www.rfc-editor.org/rfc/pdfrfc/rfc3704.txt.pdf
0
 
LVL 4

Author Comment

by:denver218
ID: 39873802
Thanks.  Its a public DNS server so I can't have my provider block udp/53.  They did work with me earlier, and I had them block it for a test, and of course the traffic stopped coming into my network, but my DNS servers then were not functional.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39883197
Your DNS servers should be able to handle significantly more than 20 concurrent connections.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 28

Expert Comment

by:asavener
ID: 39883203
Wait... SYN flooding?  Can you just block TCP/53 and allow UDP/53?  That should allow DNS requests to work while blocking the SYN packets.

TCP/53 is only used for zone transfers.
0
 
LVL 4

Author Comment

by:denver218
ID: 39909572
I used to only have UDP/53 open, but now I am being told that for a proper DNS setup TCP/53 should be open because any messages who size exceeds the DNS protocols original 512-byte limit has to use TCP.  I always thought TCP/53 was only for zone transfers, which is why I always closed that port.  Below is the document I've been referred to:

https://tools.ietf.org/html/rfc5966
0
 
LVL 28

Expert Comment

by:asavener
ID: 39909615
There's a configuration setting to increase the maximum size of the DNS packet.... Let me see if I can find it.
0
 
LVL 28

Accepted Solution

by:
asavener earned 2000 total points
ID: 39909756
https://supportforums.cisco.com/thread/2013390

earlier versions of PIX (6.3.2 and below), you had to manually configure the DNS fixup to permit DNS packets with the longer length :

fixup protocol dns maximum-length 4096



in more recent versions, it would be covered by :

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096


or to increase the response size length:


policy-map global_policy
class inspection_default
inspect dns maximum-length 4096
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 39924323
Thanks.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Check out what's been happening in the Experts Exchange community.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question