A couple of questions:
I want to move syn cookie protection from ACE-modules to ASA modules in a data center setup. And I want to set a max embryonic conns per server/IP behind the firewall f.ex 512/server
Acc to the ASA conf.guide 8.5 you can make and apply a service-policy f.ex to the outside interface with the following variables (among others):
- conn-max (0-2000000). I suppose this i an overall 'conns through the box' value ?
- embryonic-conn-max n. Is n the overall embryonic 'conns through the box' value ?
- per-client-embryonic-max If clients are outside-hosts accessing an inside-server, it will not mitigate dDoS syn-attacks very well, will it ?
Apparantly none of the above settings limit embryonic conns per inside server ?
On the other hand the configuration guide says:
When you use TCP SYN cookie protection to protect servers from SYN attacks, you must set the embryonic connection limit lower than the TCP SYN backlog queue on the server that you want to protect. Otherwise, valid clients can nolonger access the server during a SYN attack.
And to something completely different:
In 9 ASA software clustering of 5585-x is an option. Does it apply to the ASA modules as well, (which are based on the 5585-x) ?
Regards Jesper Joensen
Solved! Go to Solution.
You can protect internal servers with per-client-embryonic-max.
set connection per-client-embryonic-max 2
If you exceed the limit of 2 embryonic connection to the server on inside, further connections will be discarded.
Aug 01 2013 09:29:21: %ASA-6-201012: Per-client embryonic connection limit exceeded 2/2 for input packet from
Agree - but you still have a problem with heavy dDoS attacks with thousands of spoofed IPs.
I ended up with this config (going into production very soon) - the embryonic-conn-max 512 is intended to trig syn-cookies during syn-attacks:
set connection embryonic-conn-max 512 per-client-embryonic-max 5
service-policy EMBRYONIC-CONNS interface msfc