About TCP SYN Attack

marcelogalvan · ‎06-18-2012

I tryied this:

ciscoasa(config)#class-map tcp_syn

ciscoasa(config-cmap)#match port tcp eq 80

ciscoasa(config-cmap)#exit

ciscoasa(config)#policy-map tcpmap

ciscoasa(config-pmap)#class tcp_syn

ciscoasa(config-pmap-c)#set connection conn-max 100

ciscoasa(config-pmap-c)#set connection embryonic-conn-max 200

ciscoasa(config-pmap-c)#set connection per-client-embryonic-max 7

ciscoasa(config-pmap-c)#set connection per-client-max 5

ciscoasa(config-pmap-c)#set connection random-sequence-number enable

ciscoasa(config-pmap-c)#set connection timeout embryonic 0:0:45

ciscoasa(config-pmap-c)#exitciscoasa(config-pmap)#exit

ciscoasa(config)#service-policy tcpmap interface outside

But the results were not what we expected. All our navigation slowed.

My intention is to prevent DoS attacks to a single web server I have in the DMZ.

I would appreciate any help.

Ramraj Sivagnanam Sivajanam · ‎07-16-2012

Hi Bro

You're actually almost there. Here's how you can redefine your MFP

access-list 100 remark ### DMZ Server ###

access-list 100 permit tcp any host 192.168.10.33

access-list 100 permit tcp any host 202.188.172.33

class-map CM_DMZ_SERVER1

match access-list 100

policy-map PM_DMZ_SERVER1

class CM_DMZ_SERVER1

set connection conn-max 100

set connection embryonic-conn-max 200

set connection per-client-embryonic-max 7

set connection per-client-max 5

set connection random-sequence-number enable

set connection timeout embryonic 0:0:45

service-policy PM_DMZ_SERVER1 interface outside

P/S: If you think the comments are useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

dupplicate tcp syn anyconnect