cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
934
Views
0
Helpful
1
Replies

About TCP SYN Attack

marcelogalvan
Level 1
Level 1

I tryied this:

ciscoasa(config)#class-map tcp_syn
ciscoasa(config-cmap)#match port tcp eq 80
ciscoasa(config-cmap)#exit
ciscoasa(config)#policy-map tcpmap
ciscoasa(config-pmap)#class tcp_syn
ciscoasa(config-pmap-c)#set connection conn-max 100
ciscoasa(config-pmap-c)#set connection embryonic-conn-max 200
ciscoasa(config-pmap-c)#set connection per-client-embryonic-max 7
ciscoasa(config-pmap-c)#set connection per-client-max 5
ciscoasa(config-pmap-c)#set connection random-sequence-number enable
ciscoasa(config-pmap-c)#set connection timeout embryonic 0:0:45
ciscoasa(config-pmap-c)#exitciscoasa(config-pmap)#exit
ciscoasa(config)#service-policy tcpmap interface outside

But the results were not what we expected. All our navigation slowed.

My intention is to prevent DoS attacks to a single web server I have in the DMZ.

I would appreciate any help.



1 Reply 1

Hi Bro

I believe you've referred to this Cisco document http://cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

You're actually almost there. Here's how you can redefine your MFP

access-list 100 remark ### DMZ Server ###

access-list 100 permit tcp any host 192.168.10.33

access-list 100 permit tcp any host 202.188.172.33

class-map CM_DMZ_SERVER1

match access-list 100

policy-map PM_DMZ_SERVER1

  class CM_DMZ_SERVER1

    set connection conn-max 100

    set connection embryonic-conn-max 200

    set connection per-client-embryonic-max 7

    set connection per-client-max 5

    set connection random-sequence-number enable

    set connection timeout embryonic 0:0:45


service-policy PM_DMZ_SERVER1 interface outside

P/S: If you think the comments are useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam
Review Cisco Networking for a $25 gift card