Solved

New Rules on SourceFire ASAx

Posted on 2016-08-02
5
44 Views
Last Modified: 2016-08-10
I need to control a dos attack performed by several request.
I will like to perform this by a new rules.
What i need is something like: This url is ok if an ip address perform a request in a second, is not ok and i need to drop it if an ip address perform 8-10 request in 2 seconds.

Thank you.

Mauro
0
Comment
Question by:Pelitti
  • 3
  • 2
5 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 41738936
More info:

Where is the URL pointing? Is it outside the ASA? If so are you assuming your internal clients are performing a DDOS attack? or is it a service you are offering that you don't want attacking? from external IP addresses? (if thats the case then why URL and not IP address/range)

Pete
0
 

Author Comment

by:Pelitti
ID: 41738969
My goal is stop ddos attack from any ip to a service in the dmz firewall.
I need to leave the url open from regular workload, but i need to stop intensive use of this url from an unique ip.

I try to perform a state rule, and seem to work.

Mauro
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 41739400
Assuming the internal DMZ IP is 172.16.1.1 and the dodgy external IP is 123.123.123.123, and you external interface is called outside.


object-group network OBJ-Public-Dodgy-Servers
 network-object host 123.123.123.123
!
object-group network OBJ-Internal-DMZ-Servers
 network-object host 172.16.1.1
!
access-list ACL-MPF extended permit ip object-group OBJ-Public-Dodgy-Servers object-group OBJ-Internal-DMZ-Servers
!
class-map CM-MPF
match access-list ACL-MPF
!
policy-map PM-MPF
class CM-MPF
set connection conn-max 9500
set connection embryonic-conn-max 5000
set connection per-client-embryonic-max 100
set connection per-client-max 75
!
service-policy PM-MPF interface outside
0
 

Author Comment

by:Pelitti
ID: 41740535
Hi,
thank you.
I don't now the specific address so i will apply this to everyone, 0.0.0.0, but in this case i will also limit the good connections.

Mauro
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41740975
Hi Mauro,

Yes but the default is 'limitless' so this is a good thing :)

Pete
1

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now