Solved: C65K ASA module - syn cookie & ASAx clustering (9.x)

Jesper Joensen · ‎12-06-2012

Hi,

A couple of questions:

I want to move syn cookie protection from ACE-modules to ASA modules in a data center setup. And I want to set a max embryonic conns per server/IP behind the firewall f.ex 512/server

Acc to the ASA conf.guide 8.5 you can make and apply a service-policy f.ex to the outside interface with the following variables (among others):

- conn-max (0-2000000). I suppose this i an overall 'conns through the box' value ?

- embryonic-conn-max n. Is n the overall embryonic 'conns through the box' value ?

- per-client-embryonic-max If clients are outside-hosts accessing an inside-server, it will not mitigate dDoS syn-attacks very well, will it ?

Apparantly none of the above settings limit embryonic conns per inside server ?

On the other hand the configuration guide says:

When you use TCP SYN cookie protection to protect servers from SYN attacks, you must set the embryonic connection limit lower than the TCP SYN backlog queue on the server that you want to protect. Otherwise, valid clients can nolonger access the server during a SYN attack.

??

And to something completely different:

In 9 ASA software clustering of 5585-x is an option. Does it apply to the ASA modules as well, (which are based on the 5585-x) ?

Thanks

Regards Jesper Joensen

subriyer · ‎07-27-2013

Hello Jesper,

ASA-SM does not support clustering (not to confuse with failover).

Thanks

Iyer

View solution in original post

subriyer · ‎07-27-2013

Hello Jesper,

ASA-SM does not support clustering (not to confuse with failover).

Thanks

Iyer

Jesper Joensen · ‎07-29-2013

Hello Iyer

Thanks for your answer, which I also learned on a Cisco Tech update some time ago.

No hints on the syn-cookie guestions ? ;-)

Thank you

Jesper

subriyer · ‎07-31-2013

Jesper,

You can protect internal servers with per-client-embryonic-max.

class-map embr

match any

policy-map global_policy

class embr

set connection per-client-embryonic-max 2

If you exceed the limit of 2 embryonic connection to the server on inside, further connections will be discarded.

Aug 01 2013 09:29:21: %ASA-6-201012: Per-client embryonic connection limit exceeded 2/2 for input packet from / to / on interface inside

Jesper Joensen · ‎07-31-2013

Iyer

Agree - but you still have a problem with heavy dDoS attacks with thousands of spoofed IPs.

I ended up with this config (going into production very soon) - the embryonic-conn-max 512 is intended to trig syn-cookies during syn-attacks:

class-map EMBRYONIC-CONNS

match any

!

policy-map EMBRYONIC-CONNS

class EMBRYONIC-CONNS

set connection embryonic-conn-max 512 per-client-embryonic-max 5

!

service-policy EMBRYONIC-CONNS interface msfc

Thanks

Jesper

subriyer · ‎08-01-2013

Configuration looks good. You might want to tweak & tune limit of 512 based on your network traffic profile.