ASA/ FWSM Application connection Timeouts

S891 · ‎01-04-2013

hi,

I am running FWSM 4.1(10). I have seen recent attacks on some host for certain SIP ports in the range 5060 - 5062. In one incident there were a Million connections , it caused Memory Full issue on FWSM and it stopped passing traffic.

I am wondering what methods could be used to prevent these attacks.

•1. Is there an advantage/disadvantage of changing some of these default connection timeouts?

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout pptp-gre 0:02:00

timeout uauth 0:05:00 absolute

•2. Is it safe to reduce udp connection timeout?

•3. What value can be set for SIP timeouts and h323 timeouts to a safe value and still not disrupting?

•4. How can I limit SIP connections to say 100 connections only, is it total sip connections, or host based sip connections?

Thanks much!!!!

Jouni Forss · ‎01-05-2013

Hi,

I would refer to the below documentation if you want to limit the amount of connections on the FWSM

It seems though that when I compared the same sections for ASA and FWSM that the ASA had some additional options regarding the below configurations.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/protct_f.html#wp1065885

Sadly I cant tell you anything about setting the timeouts as I'm not really familiar with SIP in general. Personally my only options would be to ask someone else or start trying out with new values

Have you been able to monitor where the connections were initiated from? Were they from all over the world? Could there be any chance of creating an ACL rule that would partially limit this problem?

I guess someone at the forums section of

https://supportforums.cisco.com/community/netpro/collaboration-voice-video

Could also give you some tips on how to proceed as they know alot more about this area.

- Jouni

S891 · ‎01-05-2013

I wanted to get some idea if anyone has tried reducing SIP ports 5060 - 5062 time out. The other option could be limit the number of SIP connection, I would like to set it to 5000 and also time out to a low value like 10 - 15 minutes.

Jouni Forss · ‎01-05-2013

Hi,

To my understanding the document I linked explains how to define certain traffic and set connection limits and timeout only for that specific traffic.

hostname(config)# access-list SIP permit tcp any host x.x.x.x range 5060 5062

hostname(config)# access-list SIP permit udp any host x.x.x.x range 5060 5062

hostname(config)# class-map SIP

hostname(config-cmap)# match access-list SIP

hostname(config-cmap)# policy-map SIP

hostname(config-pmap)# class SIP

hostname(config-pmap-c)# set connection conn-max 5000 conn-rate-limit xxx

hostname(config-pmap-c)# set connection timeout embryonic x:x:x half-closed x:x:x

hostname(config-pmap-c)# set connection timeout idle x:x:x

hostname(config-pmap-c)# service-policy SIP interface outside

- Jouni

S891 · ‎01-06-2013

hi Jouni,

I applied the policy exactly as you have mentioned here. But for some reason there was no hitcount or connection for this policy. No ACL hits were shown. I am wondering if there is already a global policy you can not apply a policy on the interface??

access-list SIP permit tcp any any range 5060 5065

access-list SIP permit udp any any range 5060 5065

class-map SIP
match access-list SIP
class-map inspection_default
match default-inspection-traffic
!
!
policy-map SIP
class SIP
set connection conn-max 6000
set connection timeout idle 0:05:00

This is default global policy:
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect dns

FWSM# sh service-policy

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 1232958, drop 0, reset-drop 0
Inspect: h323 h225, packet 12, drop 0, reset-drop 0
Inspect: h323 ras, packet 39043, drop 1, reset-drop 0
Inspect: netbios, packet 18570, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 242, drop 0, reset-drop 0
Inspect: sip, packet 215639, drop 3, reset-drop 0
Inspect: xdmcp, packet 10, drop 10, reset-drop 0
Inspect: dns, packet 2624017, drop 37, reset-drop 0

Interface OUTSIDE:
Service-policy: SIP
Class-map: SIP
Set connection policy: conn-max 6000
current conns 0, drop 0
Set connection timeout policy:
idle 0:05:00

Fawad

grahamt · ‎01-07-2013

We had this problem as well. Here is the policy I put in place on an ASA running 8.4(x).

(edited out some specifics though).

access-list x-sip-limit extended permit udp any any range sip 5070

access-list x-sip-limit extended permit udp any range sip 5070 any

class-map class-sip-udp

match access-list x-sip-limit

policy-map outside_policy

class class-sip-udp

set connection per-client-max 1000

policy-map inside_policy

class class-sip-udp

set connection per-client-max 1000

service-policy global_policy global

service-policy outside_policy interface outside

service-policy inside_policy interface inside

#show service-policy

Interface outside:

Service-policy: outside_policy

Class-map: class-sip-udp

Set connection policy: per-client-max 1000

current conns 54, drop 5474250

Interface inside:

Service-policy: inside_policy

Class-map: class-sip-udp

Set connection policy: per-client-max 1000

current conns 15, drop 0

Graham