TCP connection limit

S891 · ‎06-09-2015

Hi,

I would like to limit scanning and syn flooding on ASA. I am thinking I can restrict any outside host to only be able to initiate maximum 500 tcp connections total to inside host at a given time it would help prevent syn flood and port scan attacks.

Anyone else done this so please share config. Any other suggestion for scanning and syn-flood attack prevention?

Thanks

Vibhor Amrodia · ‎06-10-2015

Hi,

You can refer to this document for the complete configuration that you would need:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/protect.html

You need to use the "per-client-max n" value set to 500

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html#pgfId-1627430

Example configuration:-

hostname(config)# class-map CONNS

hostname(config-cmap)# match any

hostname(config-cmap)# policy-map CONNS

hostname(config-pmap)# class CONNS

hostname(config-pmap-c)# set connection per-client-max 500

hostname(config-pmap-c)# service-policy CONNS interface outside

NOTE:- Match the specific traffic that you want to match this limit restriction onto.

Thanks and Regards,

Vibhor Amrodia

TCP connection limit

TCP Out-of-Order | 在复杂网络环境中排查 TCP 传输慢的问题

Forward Error Connection 'FEC'

如何解决 TCP data backup 慢的问题

ASA: Terminating TCP-Proxy connection from xxxx: reassembly limit of 8192 bytes exceeded

Nexus 9000 シリーズ : limit-resource u4route-mem / u6route-mem コマンドについて