topic Hi,These "syn-attack" in Network Security

Conception problem of max connection and maximum per client

Machi Ma — Tue, 12 Mar 2019 05:37:47 GMT

Hello,

Some conception about connection max and max per client. Following example say inside network is 100.100.100.0/24 and now limit the connection for each connecting from OUTSIDE

----

access-list conns-traffic extended permit ip any 100.100.100.0 255.255.255.0

class-map conns
match access-list conns-traffic

policy-map conns-policy
class CONNECTIONS
set connection per-client-max 20 per-client-embryonic-max 10
set connection conn-max 1000 embryonic-conn-max 500

service-policy conns-policy interface OUTSIDE

----

> set connection per-client-max 20 per-client-embryonic-max 10

Q1. That means each Internet clients can create max 20 connection and 10 embryonic connection into EACH client of inside network?

> set connection conn-max 1000 embryonic-conn-max 500

Q2. That means the maximum connection can establish to EACH client of inside network is 1000 and embryonic connection is 500?

Thanks!

Hi,As per the 1st query ,

Vibhor Amrodia — Thu, 12 Mar 2015 07:08:30 GMT

Hi,

As per the 1st query , That means each Internet clients can create max 20 connection and 10 embryonic connection into EACH client of inside network?

Partially correct. This means that each internet client would be able to create 20 Connections at max to the complete inside network and same for embryonic connections.

2nd query:- Total 1000 connections would be allowed from 'ANY' ip address to the Internal Network and not for each client. Same will be for the embryonic limit.

Thanks and Regards,

Vibhor Amrodia

Hi,Thanks.Another conception

Machi Ma — Thu, 12 Mar 2015 07:56:29 GMT

Hi,

Thanks.

Another conception question is one of parameter from threat-detection called 'syn-attack'. From some material saying that embryonic-conn-max or per-client-embryonic-max can protect some syn-flood attack.

Does two of them have some conflict? or they can cover either them?

Thanks!

Hi,These "syn-attack"

Vibhor Amrodia — Thu, 12 Mar 2015 08:06:09 GMT

Hi,

These "syn-attack" messages mostly appear when you receive these messages on the syslog:-

%ASA-6-302014 syslog with teardown reason of "SYN Timeout"

If you limit the number of embryonic on the per client basis , it would be more effective but than you have to come up with a number as per your environment.

You can also apply the complete Device limit with embryonic-conn-max and obviously the number would be much higher.

Thanks and Regards,

Vibhor Amrodia