(htps/:www

.r3netc.om)
Home (/) Articles (/Articles.html) Firewalls Cisco (/Firewalls/Cisco/) Mitigating DoS attacks on a Cisco ASA

Mitigating DoS attacks on a Cisco ASA

Written on 06 January 2012. Posted in Cisco (/Firewalls/Cisco/)

Within this example we will congure modular policy framework to dene a range of connection limits. This provides a basic means
of protecting your environment against DoS attacks.

DEFINE TRAFFIC
First of all we dene which trac the MPF policy will be applied to. In the example below we exclude the host 8.8.8.8 whilst
inspecting all other trac.

ciscoasa(config)#accesslistmpfpolicyaclextendeddenyiphost8.8.8.8any
ciscoasa(config)#accesslistmpfpolicyaclextendedpermitipanyany

CREATE CLASS-MAP
Next we assign the previously created access-list to a class-map.

ciscoasa(config)#classmapmpfpolicy
ciscoasa(configcmap)#matchaccesslistmpfpolicyacl
ciscoasa(configcmap)#exit

CREATE POLICY-MAP
Then a policy-map is created and the necessary connection limits dened.

ciscoasa(config)#policymapmpfpolicymap
ciscoasa(configpmap)#classmpfpolicy
ciscoasa(configpmapc)#setconnectionconnmax9500
ciscoasa(configpmapc)#setconnectionembryonicconnmax5000
ciscoasa(configpmapc)#setconnectionperclientembryonicmax100
ciscoasa(configpmapc)#setconnectionperclientmax75
ciscoasa(configpmapc)#exit
ciscoasa(configpmap)#exit

ASSIGN TO INTERFACE
Finally the policy map is assigned against a service-policy and interface

ciscoasa(config)#servicepolicympfpolicymapinterfaceoutside

NOTE AROUND TCP INTERCEPT

When conguring embryonic connections either via MPF (or within the NAT statement) at the point the threshold is reached TCP
Intercept is enabled. This feature then :

1. intercepts the initial SYN from going to the backend server, and only forwards the connection once the 3-way handshake is
complete,
2. builds a SYN cookie based on head information within the packet, and a password (only known to the ASA). Which is uses as a
sequence number within the SYN-ACK. This method means no resources (i.e the connection table) are used to store the half
open connection.

NOTE AROUND CONNEC TION LIMITS

Its also good to know when applying connection limits within a policy map that it only applies to fully established connections.
Meaning should one side half close the connection (i.e with a FIN), such as the attacker, then these (half closed) connections would
not count within the current connection count within MPF. In turn allowing further connections could be sent through the rewall.

This only really presents an issue with poorly built applications, where the server side does not close its side of the connection and
in most cases this caveat doesn't present an issue.

0Comments fir3net.com
1 Login

Recommend Share SortbyNewest

Startthediscussion
 Startthediscussion

Bethefirsttocomment.

ALSOONFIR3NET.COM WHAT'STHIS?

DjangoHowdoIcreateacustomloginpage?|Django| NetscreenTrafficReporting|Juniper|Firewalls
WebDevelopment|Miscellaneous 3commentsayearago
3commentsayearago
AvataryacineKhimaHello,Therowsofscriptplease,Thanks!!
AvatarParmisThankyouverymuch,it`sbeensohelpful.Ido
exactlythesamebutIhavethisproblem,mysubmitbutton
doesn`twork...:(

HowdoIcompilemod_wgsiforPython2.7|Python| Howtoinstalleasy_install2.7andpip2.7|Python|
Programming|Miscellaneous Programming|Miscellaneous
2commentsayearago 1commentayearago

AvatarprasanthpiIhavecompiledthepython2.7.5usingthe AvatarKunalThanksforthearticle.Itwasreallyhelpfulindeed!
abovesteps.ButthebinarybuiltwasforAMDx8664.like
below.filepythonpython:ELF

Subscribe d AddDisqustoyoursite Privacy

back to top

(http://www.host-tracker.com)
L ATEST ARTICLES

How to Auto Generate an OpenStack RC File (/Miscellaneous/Cloud/how-to-auto-generate-an-openstack-rc-le.html)

Cisco ASA 5585X Architecture Deep Dive (/Firewalls/Cisco/cisco-asa-5585x.html)

How to Create an Instance within Nova via the CLI (/Miscellaneous/Cloud/how-to-create-an-instance-within-nova-via-the-cli.html)

Juniper SRX - How to Create a ReadOnly Account (/Firewalls/Juniper/juniper-srx-how-to-create-a-readonly-account.html)

How to Build Packet Analysis Reports via the CommandLine (/Networking/How-Tos/building-packet-analysis-reports-via-the-

commandline.html)

MySQL - How to Create/Assign a User to a Database (/Databases/MySQL/mysql-how-do-i-create-assign-a-user-to-a-database.html)

Python - What is TDD (Test-Driven Development) ? (/Programming/Python/python-unit-testing.html)

Python - No module named MySQLdb (/Programming/Python/python-no-module-named-mysqldb.html)

F5 - VLAN Failsafe congured with Route Domains result in Standby-Standby (/Loadbalancers/F5-BIG-IP/f5-vlan-failsafe-congured-

with-route-domains-result-in-standby-standby.html)

Design Caveats - Active/Standby Network Devices connected via vPC (/Switches/Cisco/design-caveats-active-standby-network-

devices-connected-via-vpc.html)
POPUL AR ARTICLES

Check Point Commands (/Firewalls/Check-Point/checkpoint-commands.html)

Proxy ARP SPLAT (/Firewalls/Check-Point/proxy-arp-splat.html)

IPSO - Commands (/Firewalls/Check-Point/ipso-commands.html)

How to set the Time / Date and Timezone in CentOS (/UNIX/Linux/how-to-set-the-time-date-and-timezone-in-centos.html)

__404__ (/sh404SEF-custom-content/404.html)

ASA 8.3 - Auto NAT Examples (/Firewalls/Cisco/how-to-congure-nat-of-asa-83.html)

Conguring Windows 2008 R2 as an NTP Server (/Microsoft/General/conguring-windows-2008-r2-as-an-ntp-server.html)

vSphere - Creating User and Group Permissions (/Virtualization/VMware/vsphere-assigning-a-user-per-virtual-machine.html)

Juniper Netscreen Commands (/Firewalls/Juniper/juniper-commands.html)

VI shows the error Terminal too wide within Solaris (/UNIX/Solaris/vi-shows-the-error-terminal-too-wide-within-solaris.html)

(http://www.fir3net.com/all-
content-
(http://www.twitter.com/f3lix001)
(https://plus.google.com/b/116663132291058367261/116663132291058367261/)
rss.html)

About (/Site/about-r3net.html) Sitemap (/sitemap.html) Partners (/Miscellaneous/Site/partners.html)

Login (/Log-in.html)

Built with HTML5 and CSS3

Secured by Incapsula (http://www.incapsula.com)