09-13-2007 11:11 PM - edited 03-11-2019 04:11 AM
We have a Cisco PIX 515E with pix ver. 6.3(4). We are receiving continuous SYN packets for one specific server. Can we control this attack by PIX 515E appliance. Pl advise how to do this if possible by PIX 515E.
Thanks in advance.
Regards,
Raghavan
09-14-2007 12:54 AM
Hi
Well since to my knowledge you cant use the tcp normalization in 6.3 version so you pretty much are left to use the pix?s ids function
try this:
ip audit name PIX-IDS attack action reset
ip audit interface outside PIX-IDS
ip audit attack action reset
Note that you might need to disable som signatures depending on you network you can do that with this command:
ip audit signature
Look up the signatures here:
http://www.cisco.com/en/US/products/products_applied_intelligence_response09186a00808b4d46.html
Hope this help you if you use 7.x version let me know then i can help you with a better config for normalisation of the tcp synflood
Regards//Michel
09-14-2007 05:47 AM
I thought the Pix only supported a limited set of IDS signatures and syn attacks wasn't one of them:
PIX# sh ip audit count
Signature Global
1000 I Bad IP Options List 0
1001 I Record Packet Route 0
1002 I Timestamp 0
1003 I Provide s,c,h,tcc 0
1004 I Loose Source Route 0
1005 I SATNET ID 0
1006 I Strict Source Route 0
1100 A IP Fragment Attack 0
1102 A Impossible IP Packet 0
1103 A IP Teardrop 0
2000 I ICMP Echo Reply 0
2001 I ICMP Unreachable 0
2002 I ICMP Source Quench 0
2003 I ICMP Redirect 0
2004 I ICMP Echo Request 0
2005 I ICMP Time Exceed 0
2006 I ICMP Parameter Problem 0
2007 I ICMP Time Request 0
2008 I ICMP Time Reply 0
2009 I ICMP Info Request 0
2010 I ICMP Info Reply 0
2011 I ICMP Address Mask Request 0
2012 I ICMP Address Mask Reply 0
2150 A Fragmented ICMP 0
2151 A Large ICMP 0
2154 A Ping of Death 0
3040 A TCP No Flags 0
3041 A TCP SYN & FIN Flags Only 0
3042 A TCP FIN Flag Only 0
3153 A FTP Improper Address 0
3154 A FTP Improper Port 0
4050 A Bomb 0
4051 A Snork 0
4052 A Chargen 0
6050 I DNS Host Info 0
6051 I DNS Zone Xfer 0
6052 I DNS Zone Xfer High Port 0
6053 I DNS All Records 0
6100 I RPC Port Registration 0
6101 I RPC Port Unregistration 0
6102 I RPC Dump 0
6103 A Proxied RPC 0
6150 I ypserv Portmap Request 0
6151 I ypbind Portmap Request 0
6152 I yppasswdd Portmap Request 0
6153 I ypupdated Portmap Request 0
6154 I ypxfrd Portmap Request 0
6155 I mountd Portmap Request 0
6175 I rexd Portmap Request 0
6180 I rexd Attempt 0
6190 A statd Buffer Overflow 0
Signature 3050 on the IPS is the signature for SYN attacks, but this is clearly not listed above.
09-14-2007 09:17 AM
:)
Oupps correct it supports only a limited set of signatures i took it for granted that syn attacs was one of them
I will se if i can find something out for you ;)
Regards//Michel
09-14-2007 08:29 AM
What you can do to "conserve" the host being attacked is using the embryonic connection options in the static command.
You probably have a static configured for that host.
Check the static command in the manual:
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694
09-14-2007 09:26 AM
Didn?t think of that one! :)
Also you can limit the embryonic connections in the nat command!
Example to limit embryonic sessions to 50:
nat (inside) 1 access-list Nat-List 0 50
on the static command:
static (inside,outside) xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy 0 50
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide