Link to home
Start Free TrialLog in
Avatar of Pelitti
PelittiFlag for Italy

asked on

New Rules on SourceFire ASAx

I need to control a dos attack performed by several request.
I will like to perform this by a new rules.
What i need is something like: This url is ok if an ip address perform a request in a second, is not ok and i need to drop it if an ip address perform 8-10 request in 2 seconds.

Thank you.

Mauro
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

More info:

Where is the URL pointing? Is it outside the ASA? If so are you assuming your internal clients are performing a DDOS attack? or is it a service you are offering that you don't want attacking? from external IP addresses? (if thats the case then why URL and not IP address/range)

Pete
Avatar of Pelitti

ASKER

My goal is stop ddos attack from any ip to a service in the dmz firewall.
I need to leave the url open from regular workload, but i need to stop intensive use of this url from an unique ip.

I try to perform a state rule, and seem to work.

Mauro
ASKER CERTIFIED SOLUTION
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pelitti

ASKER

Hi,
thank you.
I don't now the specific address so i will apply this to everyone, 0.0.0.0, but in this case i will also limit the good connections.

Mauro
Hi Mauro,

Yes but the default is 'limitless' so this is a good thing :)

Pete