Escolar Documentos
Profissional Documentos
Cultura Documentos
.r3netc.om)
Home (/) Articles (/Articles.html) Firewalls Cisco (/Firewalls/Cisco/) Mitigating DoS attacks on a Cisco ASA
Within this example we will congure modular policy framework to dene a range of connection limits. This provides a basic means
of protecting your environment against DoS attacks.
DEFINE TRAFFIC
First of all we dene which trac the MPF policy will be applied to. In the example below we exclude the host 8.8.8.8 whilst
inspecting all other trac.
ciscoasa(config)#accesslistmpfpolicyaclextendeddenyiphost8.8.8.8any
ciscoasa(config)#accesslistmpfpolicyaclextendedpermitipanyany
CREATE CLASS-MAP
Next we assign the previously created access-list to a class-map.
ciscoasa(config)#classmapmpfpolicy
ciscoasa(configcmap)#matchaccesslistmpfpolicyacl
ciscoasa(configcmap)#exit
CREATE POLICY-MAP
Then a policy-map is created and the necessary connection limits dened.
ciscoasa(config)#policymapmpfpolicymap
ciscoasa(configpmap)#classmpfpolicy
ciscoasa(configpmapc)#setconnectionconnmax9500
ciscoasa(configpmapc)#setconnectionembryonicconnmax5000
ciscoasa(configpmapc)#setconnectionperclientembryonicmax100
ciscoasa(configpmapc)#setconnectionperclientmax75
ciscoasa(configpmapc)#exit
ciscoasa(configpmap)#exit
ASSIGN TO INTERFACE
Finally the policy map is assigned against a service-policy and interface
ciscoasa(config)#servicepolicympfpolicymapinterfaceoutside
When conguring embryonic connections either via MPF (or within the NAT statement) at the point the threshold is reached TCP
Intercept is enabled. This feature then :
1. intercepts the initial SYN from going to the backend server, and only forwards the connection once the 3-way handshake is
complete,
2. builds a SYN cookie based on head information within the packet, and a password (only known to the ASA). Which is uses as a
sequence number within the SYN-ACK. This method means no resources (i.e the connection table) are used to store the half
open connection.
Its also good to know when applying connection limits within a policy map that it only applies to fully established connections.
Meaning should one side half close the connection (i.e with a FIN), such as the attacker, then these (half closed) connections would
not count within the current connection count within MPF. In turn allowing further connections could be sent through the rewall.
This only really presents an issue with poorly built applications, where the server side does not close its side of the connection and
in most cases this caveat doesn't present an issue.
0Comments fir3net.com
1 Login
Startthediscussion
Startthediscussion
Bethefirsttocomment.
ALSOONFIR3NET.COM WHAT'STHIS?
DjangoHowdoIcreateacustomloginpage?|Django| NetscreenTrafficReporting|Juniper|Firewalls
WebDevelopment|Miscellaneous 3commentsayearago
3commentsayearago
AvataryacineKhimaHello,Therowsofscriptplease,Thanks!!
AvatarParmisThankyouverymuch,it`sbeensohelpful.Ido
exactlythesamebutIhavethisproblem,mysubmitbutton
doesn`twork...:(
HowdoIcompilemod_wgsiforPython2.7|Python| Howtoinstalleasy_install2.7andpip2.7|Python|
Programming|Miscellaneous Programming|Miscellaneous
2commentsayearago 1commentayearago
AvatarprasanthpiIhavecompiledthepython2.7.5usingthe AvatarKunalThanksforthearticle.Itwasreallyhelpfulindeed!
abovesteps.ButthebinarybuiltwasforAMDx8664.like
below.filepythonpython:ELF
back to top
(http://www.host-tracker.com)
L ATEST ARTICLES
__404__ (/sh404SEF-custom-content/404.html)
(http://www.fir3net.com/all-
content-
(http://www.twitter.com/f3lix001)
(https://plus.google.com/b/116663132291058367261/116663132291058367261/)
rss.html)
Login (/Log-in.html)