Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1458
Views
0
Helpful
3
Replies

ASA SYN Port scanning protection through embryonic limit setup ?

davcommunay
Level 1
Level 1

‎07-02-2011 06:06 AM - edited ‎03-11-2019 01:53 PM

Dear All,

After reading the following link:

http://www.mail-archive.com/ccie_security@onlinestudylist.com/msg09073.html

I discovered that it would be possible to be protected from portscan, i mean when someone scan our nework/host from outside, the attacker will see all the 65535 ports as "open" (in that way it will be more difficult for an attacker to perform customized attacks...)

So I have follow the setup in that link:

policy-map global_policy
 class class-defaults 
  set connection embryonic-conn-max 15 per-client-embryonic-max 3

service-policy global_policy global

The problem is that I don't have the exepected result...

If i do a portscan over Internet from an external host to my hosts the portscan is successfully working and I can view my open ports...

I have also tried to set this through a "match" in an access-list but without any sucess...

Maybe some of you ever experimented this ?

Best regards,

Labels:
0 Helpful
3 Replies 3

haivrajesh
Level 1
Level 1

‎07-02-2011 12:46 PM

Hi,

Enable uRPF that will usefull for you

Rajeswar.

0 Helpful

davcommunay
Level 1
Level 1
In response to haivrajesh

‎07-03-2011 02:41 AM

Dear Rajeswar,

Thank you for this answer, but it seems that uRPF do not feel exactly what i wanted to do...

(flood the attacker with fake response)

So my question regarding embryonic connection limitation still exist.

David

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to davcommunay

‎07-14-2011 09:14 AM

Hi David,

Even if you have an embryonic limit set, it does not imply that the ASA will allow a maximum of 15 connections and deny any further connections to the hosts specified by the class-map. Please read the below page for details on what the ASA exactly does using TCP intercept:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045

It willl mainly be useful in protecting against DoS attacks to your servers where connections are originated from spoofed source IP addresses. I hope that answers your question about embryonic connection limits.

I am still not sure what exactly you are trying to achieve by way of this? Please clarify it for us.

Regards,

Prapanch

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card