12-27-2013 02:23 AM - edited 03-11-2019 08:22 PM
Hello,
Is it possible to limit number of connections per second on ASA 5520 8.2(5) (with IPS module) in a way where it will not drop the connection beyond a certain threshold, but instead redirects rate limited connections to an Apache virtual host that returns HTTP 503 and a diagnostic message? (With a DNAT rule for the redirection for example).
I know this is achiveble with iptables, but we don't want to implement any extra Linux firewalls.
On Linux this would be somethink like:
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m hashlimit --hashlimit-name HTTPS \
--hashlimit 600/minute --hashlimit-htable-expire 300000 --hashlimit-burst 600 --hashlimit-mode srcip -j ACCEPT
Kind regards
Mariusz
12-29-2013 01:22 PM
Unfortunately no.
The firewall can perform but not complying with all the Requirements. The IPS can do most of the stuff, but it would need to log to a switch or a router to do the rate limiting. The HTTP503, I dont know any way to do this.
The IPS can log into the following devices to apply Rate limiting:
Cisco series routers using Cisco IOS 12.3 or later:
–Cisco 1700 series router
–Cisco 2500 series router
–Cisco 2600 series router
–Cisco 2800 series router
–Cisco 3600 series router
–Cisco 3800 series router
–Cisco 7200 series router
–Cisco 7500 series router
Check the following doc:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_blocking.html#wp1063666
Mike
12-30-2013 02:36 AM
Hi Mike,
Many thanks for replying.
Based on the doc, this will work with ASA, but with the shun command only, which will block the host completly.
I though this is not going to be possible, but is good to double-check here.
Regards
Mariusz
12-30-2013 09:07 AM
Forgot to add that on my reply. Yes the ASA only supports blocking. It is not able to perform rate limiting. Just the routers above.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide