Any ability to rate limit connections?

technionn · ‎12-10-2012

Hi,

I'm trying to determine whether Cisco has any equivalent (in any platform) to some of the existing firewall rules within our iptables infrastructure. Specifically these ones:

-A FORWARD -i eth0 -p tcp -m tcp --dport 3389 -m state --state NEW -m recent --set --name DEFAULT --rsource

-A FORWARD -i eth0 -p tcp -m tcp --dport 3389 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j LOGDROP

-A FORWARD -p tcp -m state --state NEW -m tcp --dport 3389 -j ACCEPT

What this does, is allow port forwards on port 3389/rdp. However, if a single IP opens too many connections within a timeframe, it starts dropping new ones.

This is a critical requirements for certain security scenarios, such as preventing RDP brute forcing. A similar principle can be applied to 22/ssh.

I've had a look around, rate limiting searches generally land me on QoS based discussions. I've seen people ask similar questions and get referred to CBAC. Whilst I can see similarly worded functions there such as limiting "half open" connections, I don't see anything there that limits the actual number of connection attempts you can make.

Any assistance appreciated.

Marcin Latosiewicz · ‎12-11-2012

Both IOS and ASA firewall have embryonic and per-client max statments.

I would not call this feature rate limiting exactly though :-)

Now since both of those features are stateful they will rely on amount of (half?) open connections in their connection table rather than (if I remember my iptables) allowing up to 4 hits on this service withing 180 seconds with SYN flag set.

So no direct mapping but it gives you the added benefit of not allowing more than one connection from a given host, for example.