Solved

New Rules on SourceFire ASAx

Posted on 2016-08-02
5
58 Views
Last Modified: 2016-08-10
I need to control a dos attack performed by several request.
I will like to perform this by a new rules.
What i need is something like: This url is ok if an ip address perform a request in a second, is not ok and i need to drop it if an ip address perform 8-10 request in 2 seconds.

Thank you.

Mauro
0
Comment
Question by:Pelitti
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 41738936
More info:

Where is the URL pointing? Is it outside the ASA? If so are you assuming your internal clients are performing a DDOS attack? or is it a service you are offering that you don't want attacking? from external IP addresses? (if thats the case then why URL and not IP address/range)

Pete
0
 

Author Comment

by:Pelitti
ID: 41738969
My goal is stop ddos attack from any ip to a service in the dmz firewall.
I need to leave the url open from regular workload, but i need to stop intensive use of this url from an unique ip.

I try to perform a state rule, and seem to work.

Mauro
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 41739400
Assuming the internal DMZ IP is 172.16.1.1 and the dodgy external IP is 123.123.123.123, and you external interface is called outside.


object-group network OBJ-Public-Dodgy-Servers
 network-object host 123.123.123.123
!
object-group network OBJ-Internal-DMZ-Servers
 network-object host 172.16.1.1
!
access-list ACL-MPF extended permit ip object-group OBJ-Public-Dodgy-Servers object-group OBJ-Internal-DMZ-Servers
!
class-map CM-MPF
match access-list ACL-MPF
!
policy-map PM-MPF
class CM-MPF
set connection conn-max 9500
set connection embryonic-conn-max 5000
set connection per-client-embryonic-max 100
set connection per-client-max 75
!
service-policy PM-MPF interface outside
0
 

Author Comment

by:Pelitti
ID: 41740535
Hi,
thank you.
I don't now the specific address so i will apply this to everyone, 0.0.0.0, but in this case i will also limit the good connections.

Mauro
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41740975
Hi Mauro,

Yes but the default is 'limitless' so this is a good thing :)

Pete
1

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question