cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
788
Views
0
Helpful
1
Replies

About TCP SYN Attack

marcelogalvan
Level 1
Level 1

I tryied this:

ciscoasa(config)#class-map tcp_syn
ciscoasa(config-cmap)#match port tcp eq 80
ciscoasa(config-cmap)#exit
ciscoasa(config)#policy-map tcpmap
ciscoasa(config-pmap)#class tcp_syn
ciscoasa(config-pmap-c)#set connection conn-max 100
ciscoasa(config-pmap-c)#set connection embryonic-conn-max 200
ciscoasa(config-pmap-c)#set connection per-client-embryonic-max 7
ciscoasa(config-pmap-c)#set connection per-client-max 5
ciscoasa(config-pmap-c)#set connection random-sequence-number enable
ciscoasa(config-pmap-c)#set connection timeout embryonic 0:0:45
ciscoasa(config-pmap-c)#exitciscoasa(config-pmap)#exit
ciscoasa(config)#service-policy tcpmap interface outside

But the results were not what we expected. All our navigation slowed.

My intention is to prevent DoS attacks to a single web server I have in the DMZ.

I would appreciate any help.



1 Reply 1

Hi Bro

I believe you've referred to this Cisco document http://cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

You're actually almost there. Here's how you can redefine your MFP

access-list 100 remark ### DMZ Server ###

access-list 100 permit tcp any host 192.168.10.33

access-list 100 permit tcp any host 202.188.172.33

class-map CM_DMZ_SERVER1

match access-list 100

policy-map PM_DMZ_SERVER1

  class CM_DMZ_SERVER1

    set connection conn-max 100

    set connection embryonic-conn-max 200

    set connection per-client-embryonic-max 7

    set connection per-client-max 5

    set connection random-sequence-number enable

    set connection timeout embryonic 0:0:45


service-policy PM_DMZ_SERVER1 interface outside

P/S: If you think the comments are useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: