Cisco ACE DoS

belaldarwish · ‎10-09-2013

We have a security scanning tool that has overloaded the ACE during it's scans due to the high number of connections it creates towards the servers.

I would like to configure the ACE so that it can protect itself from DoS attacks, specificailly I want the ACE to be able to limit the rate of incomming connections.

I came accross the feature "Configuring Rate Limits for a Policy Map", in here: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/tcpipnrm.html#wp1125308

But I am not sure how the policy map is applied. Is the configured limit-rate applied per server farm/VIP? or per interface? Should I configure the rate-limit class-map under the load balance policy, or under a seperate policy?

I found the below statement in here: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/command/reference/parammap.html#wp1195366

"

The ACE applies these rate limits to each class map that you associate with the policy at the virtual server level."

What does the above statement mean?

Jorge Bejarano · ‎10-10-2013

Hi, 

Try the following:

host1/Admin(config)# parameter-map type connection RATE-LIMIT-TAC



host1/Admin(config-parammap-conn)# rate-limit connection 100000



policy-map multi-match client-vips   
class slb-vip     
loadbalance vip inservice
loadbalance policy slb 
nat dynamic 5 vlan 50 
connection advanced-options RATE-LIMIT-TAC >>>> apply it here!

Jorge

Mark it if was useful

belaldarwish · ‎10-20-2013

Thank you.

According to the document, the parameter map is applied to a Virtual Server through the command

connection advanced-options

But what I actually want to achive is to make the box protect itself, and not the servers/virtual servers. This is because the security scanning tool overloads the ACE itself, making it unavailable, and causing and outage for all server farms.

What I am looking for is a global command that applies to the ACE, that will limit the overall connections comming into the server, without specifiying a virtual server/real server.

Kanwaljeet Singh · ‎10-20-2013

Hi,

You can also try this:

To limit the maximum number of ACE connections, create a resource class and then use the following commands:

•Through-the-ACE connections—limit-resource conc-connections

•To-the-ACE connections—limit-resource mgmt-connections

Make sure that you assign the current context to the resource class.

For details on security features on ACE i would also suggest to go through the below link:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/security/guide/tcpipnrm.html#wp1010556

Let me know if that helps.

Regards,

Kanwal