cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


996
Views
0
Helpful
3
Replies
Highlighted
Beginner

ASA SYN Port scanning protection through embryonic limit setup ?

Dear All,

After reading the following link:

http://www.mail-archive.com/ccie_security@onlinestudylist.com/msg09073.html

I discovered that it would be possible to be protected from portscan, i mean when someone scan our nework/host from outside, the attacker will see all the 65535 ports as "open" (in that way it will be more difficult for an attacker to perform customized attacks...)

So I have follow the setup in that link:

policy-map global_policy
 class class-defaults 
  set connection embryonic-conn-max 15 per-client-embryonic-max 3

service-policy global_policy global

The problem is that I don't have the exepected result...

If i do a portscan over Internet from an external host to my hosts the portscan is successfully working and I can view my open ports...

I have also tried to set this through a "match" in an access-list but without any sucess...

Maybe some of you ever experimented this ?

Best regards,

Everyone's tags (3)
3 REPLIES 3
Beginner

ASA SYN Port scanning protection through embryonic limit setup ?

Hi,

Enable uRPF that will usefull for you

Rajeswar.

Beginner

ASA SYN Port scanning protection through embryonic limit setup ?

Dear Rajeswar,

Thank you for this answer, but it seems that uRPF do not feel exactly what i wanted to do...

(flood the attacker with fake response)

So my question regarding embryonic connection limitation still exist.

David

Cisco Employee

ASA SYN Port scanning protection through embryonic limit setup ?

Hi David,

Even if you have an embryonic limit set, it does not imply that the ASA will allow a maximum of 15 connections and deny any further connections to the hosts specified by the class-map. Please read the below page for details on what the ASA exactly does using TCP intercept:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045

It willl mainly be useful in protecting against DoS attacks to your servers where connections are originated from spoofed source IP addresses. I hope that answers your question about embryonic connection limits.

I am still not sure what exactly you are trying to achieve by way of this? Please clarify it for us.

Regards,

Prapanch

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here