Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

New Rules on SourceFire ASAx

Posted on 2016-08-02
5
Medium Priority
?
64 Views
Last Modified: 2016-08-10
I need to control a dos attack performed by several request.
I will like to perform this by a new rules.
What i need is something like: This url is ok if an ip address perform a request in a second, is not ok and i need to drop it if an ip address perform 8-10 request in 2 seconds.

Thank you.

Mauro
0
Comment
Question by:Pelitti
  • 3
  • 2
5 Comments
 
LVL 58

Expert Comment

by:Pete Long
ID: 41738936
More info:

Where is the URL pointing? Is it outside the ASA? If so are you assuming your internal clients are performing a DDOS attack? or is it a service you are offering that you don't want attacking? from external IP addresses? (if thats the case then why URL and not IP address/range)

Pete
0
 

Author Comment

by:Pelitti
ID: 41738969
My goal is stop ddos attack from any ip to a service in the dmz firewall.
I need to leave the url open from regular workload, but i need to stop intensive use of this url from an unique ip.

I try to perform a state rule, and seem to work.

Mauro
0
 
LVL 58

Accepted Solution

by:
Pete Long earned 2000 total points
ID: 41739400
Assuming the internal DMZ IP is 172.16.1.1 and the dodgy external IP is 123.123.123.123, and you external interface is called outside.


object-group network OBJ-Public-Dodgy-Servers
 network-object host 123.123.123.123
!
object-group network OBJ-Internal-DMZ-Servers
 network-object host 172.16.1.1
!
access-list ACL-MPF extended permit ip object-group OBJ-Public-Dodgy-Servers object-group OBJ-Internal-DMZ-Servers
!
class-map CM-MPF
match access-list ACL-MPF
!
policy-map PM-MPF
class CM-MPF
set connection conn-max 9500
set connection embryonic-conn-max 5000
set connection per-client-embryonic-max 100
set connection per-client-max 75
!
service-policy PM-MPF interface outside
0
 

Author Comment

by:Pelitti
ID: 41740535
Hi,
thank you.
I don't now the specific address so i will apply this to everyone, 0.0.0.0, but in this case i will also limit the good connections.

Mauro
0
 
LVL 58

Expert Comment

by:Pete Long
ID: 41740975
Hi Mauro,

Yes but the default is 'limitless' so this is a good thing :)

Pete
1

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question