topic Mitigating syn attack on asa 5520 in Network Security

Mitigating syn attack on asa 5520

power.srvi — Mon, 11 Mar 2019 22:53:47 GMT

hi,

im using a cisco 5520 with 8.4, i try to test my appliance with a syn attack on my published server behind my asa on port 80 and this really really put out of the game my firewall.

i used hping security test tool with this commaband .hping -i u1 -S -p 80

So can someone tell me how toprevent this attacks on my firewall.

regards

Mitigating syn attack on asa 5520

Julio Carvajal — Fri, 13 Apr 2012 22:30:58 GMT

Hello Power,

How to prevent a SYN attack on an ASA:

I would recommend to use the maximum amount of embryonic connections and the Time-out for the embryonic connections, this can be configured using the MPF

I am going to use the next example provided by CISCO to show you how it is configured:

ciscoasa(config)#class-map tcp_syn

ciscoasa(config-cmap)#match port tcp eq 80

ciscoasa(config-cmap)#exit

ciscoasa(config)#policy-map tcpmap

ciscoasa(config-pmap)#class tcp_syn

ciscoasa(config-pmap-c)#set connection conn-max 100

ciscoasa(config-pmap-c)#set connection embryonic-conn-max 200

ciscoasa(config-pmap-c)#set connection per-client-embryonic-max 10

ciscoasa(config-pmap-c)#set connection timeout embryonic 0:0:45

ciscoasa(config-pmap-c)#exit

ciscoasa(config-pmap)#exit

ciscoasa(config)#service-policy tcpmap global

Configured this, give it a try and see how it works.

Regards,

Julio

DO rate all the helpful posts!!!

Mitigating syn attack on asa 5520

power.srvi — Sat, 14 Apr 2012 10:48:50 GMT

hi jcar

i tryed this exemple and when i test the security usind this syn flood attack the cpu of the asa 5520 overload and use 100% of his capabilities!!!

the published websites becaume down and vpn unstables.

regards

Mitigating syn attack on asa 5520

Julio Carvajal — Sat, 14 Apr 2012 18:26:21 GMT

Hello,

What version are you running?? That should not happened.

Please read the following link, the one I used to provide you the information.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

Mitigating syn attack on asa 5520

power.srvi — Sun, 15 Apr 2012 17:10:32 GMT

hello,

im using a cisco 5520 running 8.4.1 firmware and asdm 6.4

i use this documents before i post a help on the cisco forum !!!

regards

Mitigating syn attack on asa 5520

Julio Carvajal — Sun, 15 Apr 2012 18:21:13 GMT

Hello,

So next time would be good to know all the procesures you have done before posting the question, this would make us help you on a better way and so much faster!!!!

Please provide the running configuration with the MPF setup...

Mitigating syn attack on asa 5520

power.srvi — Mon, 16 Apr 2012 21:46:56 GMT

hi,

this a copy paste of my asa 5520, i cut off the vpn and other unecessary informations

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address xxxxxxxxxxx

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

<--- More --->

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

interface Management0/0

shutdown

no nameif

security-level 0

no ip address

interface Redundant1

member-interface GigabitEthernet0/1

member-interface GigabitEthernet0/2

no nameif

security-level 50

no ip address

interface Redundant1.3

vlan 3

nameif inside

security-level 50

ip address xxxxxxxxxxxxxxxxxx

interface Redundant1.x

vlan 5

nameif DMZ

security-level 49

ip address xxxxxxxxxxxxxxxxxxxxxxxxx

boot config disk0:/run-cfg-16-03-12

ftp mode passive

clock timezone gmt+1 1

dns domain-lookup outside

dns server-group DefaultDNS

name-server xxxxxxxxxxxxx

domain-name xxxxxxx

dns server-group Gcc-DNS

name-server xxxxxxxxxxxxxxxx

domain-name xxxxxxxxxxxxxxx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

pager lines 24

logging enable

logging list auth level emergencies class auth

logging trap warnings

logging history warnings

logging asdm debugging

logging mail auth

logging host inside xxxxxxxxxx

logging permit-hostdown

flow-export destination inside xxxxxxxxxxxx 9996

flow-export delay flow-create 10

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface DMZ

ip audit name attackdrop attack action drop

ip audit interface outside attackdrop

ip audit interface DMZ attackdrop

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

asdm history enable

arp timeout 14400

access-group OUTSIDE_IN_ACL in interface outside

access-group inside_access_in_2 in interface inside control-plane

access-group inside_access_in_1 in interface inside

<--- More --->

route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxxx 1

timeout xlate 3:00:00

timeout conn 4:00:00 half-closed 0:05:00 udp 0:01:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

class-map tcp_syn

match port tcp eq www

class-map inside-class

match dscp ef

class-map inside-class1

match port udp eq sip

policy-map tcpmap

class tcp_syn

set connection conn-max 100 embryonic-conn-max 200 per-client-max 5 per-client-embryonic-max 10

set connection timeout embryonic 0:00:05 half-closed 0:05:00 idle 2:00:00

Mitigating syn attack on asa 5520

marcelogalvan — Mon, 18 Jun 2012 13:52:52 GMT

Power I have the same problem.

How do you resolve that?

Thanks in advance.