Solved

New Rules on SourceFire ASAx

Posted on 2016-08-02
5
54 Views
Last Modified: 2016-08-10
I need to control a dos attack performed by several request.
I will like to perform this by a new rules.
What i need is something like: This url is ok if an ip address perform a request in a second, is not ok and i need to drop it if an ip address perform 8-10 request in 2 seconds.

Thank you.

Mauro
0
Comment
Question by:Pelitti
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 41738936
More info:

Where is the URL pointing? Is it outside the ASA? If so are you assuming your internal clients are performing a DDOS attack? or is it a service you are offering that you don't want attacking? from external IP addresses? (if thats the case then why URL and not IP address/range)

Pete
0
 

Author Comment

by:Pelitti
ID: 41738969
My goal is stop ddos attack from any ip to a service in the dmz firewall.
I need to leave the url open from regular workload, but i need to stop intensive use of this url from an unique ip.

I try to perform a state rule, and seem to work.

Mauro
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 41739400
Assuming the internal DMZ IP is 172.16.1.1 and the dodgy external IP is 123.123.123.123, and you external interface is called outside.


object-group network OBJ-Public-Dodgy-Servers
 network-object host 123.123.123.123
!
object-group network OBJ-Internal-DMZ-Servers
 network-object host 172.16.1.1
!
access-list ACL-MPF extended permit ip object-group OBJ-Public-Dodgy-Servers object-group OBJ-Internal-DMZ-Servers
!
class-map CM-MPF
match access-list ACL-MPF
!
policy-map PM-MPF
class CM-MPF
set connection conn-max 9500
set connection embryonic-conn-max 5000
set connection per-client-embryonic-max 100
set connection per-client-max 75
!
service-policy PM-MPF interface outside
0
 

Author Comment

by:Pelitti
ID: 41740535
Hi,
thank you.
I don't now the specific address so i will apply this to everyone, 0.0.0.0, but in this case i will also limit the good connections.

Mauro
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41740975
Hi Mauro,

Yes but the default is 'limitless' so this is a good thing :)

Pete
1

Featured Post

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question