cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
544
Views
0
Helpful
2
Replies

ASA/PIX Dos Mitigation

jon.humphries
Level 1
Level 1

Hi All,

I have the following scenario;

Hacker or virus ---> ASA/PIX MPF ---> Router or Device endpoint

I use syslog traffic in this example but I have done it with ICMP, telnet etc .... The idea is to drop the traffic based upon the class-map.

class-map hack

match port udp eq 514

policy-map inside

class hack

set connection conn-max 1

police input 8000 conform-action drop exceed drop

service-policy inside interface inside

I'm getting matches against the service-policy but the traffic doesn't drop ...

Interface inside:

Service-policy: inside

Class-map: syslog

Set connection policy: conn-max 1

current conns 1, drop 0

Input police Interface inside:

cir 8000 bps, bc 1500 bytes

conformed 3 packets, 375 bytes; actions: drop

exceeded 0 packets, 0 bytes; actions: drop

conformed 80 bps, exceed 0 bps

2 Replies 2

vvarakan
Level 1
Level 1

You current connection count is only 1 so you will not see any drops.

Hi,

It looks like my issue, was that the CIR police mechanisim is there for rate limiting as opposed to dropping the connection.

I misunderstood the functionality of this feature.

Many thanks for your input.

Jon Humphries

Review Cisco Networking for a $25 gift card