Thanks for reply.

I am interesting, which values are optimal for these parameters( which are correct quantities). For example I use the following(see below), are they correct?

threat-detection rate dos-drop rate-interval 600 average-rate 2 burst-rate 2

threat-detection rate dos-drop rate-interval 3600 average-rate 2 burst-rate 2

threat-detection rate bad-packet-drop rate-interval 600 average-rate 2 burst-rate 2

threat-detection rate bad-packet-drop rate-interval 3600 average-rate 2 burst-rate 2

threat-detection rate acl-drop rate-interval 600 average-rate 2 burst-rate 2

threat-detection rate acl-drop rate-interval 3600 average-rate 2 burst-rate 2

threat-detection rate conn-limit-drop rate-interval 600 average-rate 3 burst-rate 3

threat-detection rate conn-limit-drop rate-interval 3600 average-rate 3 burst-rate 3

threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate scanning-threat rate-interval 600 average-rate 3 burst-rate 3

threat-detection rate scanning-threat rate-interval 3600 average-rate 3 burst-rate 3

threat-detection rate syn-attack rate-interval 600 average-rate 2 burst-rate 2

threat-detection rate syn-attack rate-interval 3600 average-rate 2 burst-rate 2

threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600

threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280

threat-detection rate inspect-drop rate-interval 600 average-rate 2 burst-rate 2

threat-detection rate inspect-drop rate-interval 3600 average-rate 2 burst-rate 2

threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000

threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address xx.xx.xx.xx 255.255.255.240

threat-detection scanning-threat shun except ip-address xx.xx.xx.xx 255.255.255.0

threat-detection scanning-threat shun duration 1800

threat-detection statistics

threat-detection statistics host number-of-rate 2

threat-detection statistics tcp-intercept rate-interval 15 burst-rate 30 average-rate 30

threat-detection scanning-threat

threat-detection scanning-threat shun

threat-detection scanning-threat shun duration 1800
threat-detection statistics
threat-detection statistics host number-of-rate 2
threat-detection statistics tcp-intercept rate-interval 15 burst-rate 30 average-rate 30

Hi Bro

Having threat-detection is great, but you need to know the best values for your environment. Customizing each values is good, if you know what are the good values for your environment but as for me, I opt to remain with the default values. Hence, in most of my deployments here's a sample of what I normally do, and that's it :-)

FW01# show run threat-detection

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 172.0.0.0 255.0.0.0

threat-detection statistics

Dear Ramraj,

How can I calculate best values for my environment?

     I have used default values, but botnet DDos attack downed my servers, I have received large TCP SYN packets from  many hosts, and Appliance does not shun them, so I desided do re-configure my asa 5510 for strict protection and enter these values, which you can see above

.

Also I create tcp normalization map with following options:

TCP CHECK RETRANSMISSION

CLEAR URGENT FLAG

PAST-WINDOW SEQUENCE DROP

DROP SYN WITH DATA

VERIFY TCP CHECKSUM

SYNACK DATA DROP

INVLAID ACK DROP

I displayed my config, maybe I have mistake somwhere and want to know what more parameters I can configure for TCP and UDP flood proection (if yes, pease, give me a litte example)?

P.S. I do not have any advenced security module on asa, only SEC PLUS licence.

Hi Bro

Did you follow the URL link i gave you, as shown below

STEP1: Identify the traffic to apply connection limits using a class map

ASA(config)# access list CONNS-ACL extended permit ip any 10.1.1.1 255.255.255.255
ASA(config)# class-map CONNS-MAP
ASA(config-cmap)# match access-list CONNS-ACL

STEP2: Add a policy map to set the actions to take on the class map traffic

ASA(config)# policy-map CONNS-POLICY
ASA(config-pmap)# class CONNS-MAP
! The following sets connection number limits
ASA(config-pmap-c)# set connection {[conn-max n] [embryonic-conn-max n]
[per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}

where the conn-max n argument sets the maximum number of simultaneous TCP and/or UDP connections that are allowed, between 0 and 65535.

The embryonic-conn-max n argument sets the maximum number of simultaneous embryonic connections allowed, between 0 and 65535.

The per-client-embryonic-max n argument sets the maximum number of simultaneous embryonic connections allowed per client, between 0 and 65535.

The per-client-max n argument sets the maximum number of simultaneous connections allowed per client, between 0 and 65535.

! The following sets connection timeouts
ASA(config-pmap-c)# set connection timeout {[embryonic hh:mm:ss] {tcp hh:mm:ss
[reset]] [half-closed hh:mm:ss] [dcd hh:mm:ss [max_retries]]}

STEP3: Apply the Policy on one or more interfaces or Globaly

ASA(config)# service-policy CONNS-POLICY {global | interface interface_name}

Dear Ramraj,

My question about calculation method of correct values for following parameters:

ASA(config-pmap-c)# set connection {[conn-max n] [embryonic-conn-max n]

[per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}

ASA(config-pmap-c)# set connection {[conn-max n] [embryonic-conn-max n]

[per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}

between 0 and 65535

this is a wery big range...

Can you tell me about recommended values per host for connections and embrionic connections quantities ?

or give me link, how can I calculate them in range between 0 and 65535

Hi Bro

I don’t think Cisco has a guide on the best values possible with regards to this matter. These values are very subjective from one environment to another.

Cisco’s default values are clearly seen in all Cisco AS FW, a sample as shown below;

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

However, if you want to tune it for a particular source / destination, TCP MAPS is the right way to go. I can’t provide you any more information than I have already provided. This is the best I can do.

For further details, please kindly refer to this Cisco document http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/conns_connlimits.html#wp1080734

Thanks for provided information!