Solved

New Rules on SourceFire ASAx

Posted on 2016-08-02
5
41 Views
Last Modified: 2016-08-10
I need to control a dos attack performed by several request.
I will like to perform this by a new rules.
What i need is something like: This url is ok if an ip address perform a request in a second, is not ok and i need to drop it if an ip address perform 8-10 request in 2 seconds.

Thank you.

Mauro
0
Comment
Question by:Pelitti
  • 3
  • 2
5 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 41738936
More info:

Where is the URL pointing? Is it outside the ASA? If so are you assuming your internal clients are performing a DDOS attack? or is it a service you are offering that you don't want attacking? from external IP addresses? (if thats the case then why URL and not IP address/range)

Pete
0
 

Author Comment

by:Pelitti
ID: 41738969
My goal is stop ddos attack from any ip to a service in the dmz firewall.
I need to leave the url open from regular workload, but i need to stop intensive use of this url from an unique ip.

I try to perform a state rule, and seem to work.

Mauro
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 41739400
Assuming the internal DMZ IP is 172.16.1.1 and the dodgy external IP is 123.123.123.123, and you external interface is called outside.


object-group network OBJ-Public-Dodgy-Servers
 network-object host 123.123.123.123
!
object-group network OBJ-Internal-DMZ-Servers
 network-object host 172.16.1.1
!
access-list ACL-MPF extended permit ip object-group OBJ-Public-Dodgy-Servers object-group OBJ-Internal-DMZ-Servers
!
class-map CM-MPF
match access-list ACL-MPF
!
policy-map PM-MPF
class CM-MPF
set connection conn-max 9500
set connection embryonic-conn-max 5000
set connection per-client-embryonic-max 100
set connection per-client-max 75
!
service-policy PM-MPF interface outside
0
 

Author Comment

by:Pelitti
ID: 41740535
Hi,
thank you.
I don't now the specific address so i will apply this to everyone, 0.0.0.0, but in this case i will also limit the good connections.

Mauro
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41740975
Hi Mauro,

Yes but the default is 'limitless' so this is a good thing :)

Pete
1

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now