dos-attack(more connections)

WEERAKOO69BA · ‎09-08-2013

Dear Friends,

One of the customer's ASA-5520 is getting disconect every 3-4 hours and found following outputs and errors.This ASA connetcs to MPLS(to acces remote branches) and ADLS(for internet)

Resource Current Peak Limit Denied Context

Syslogs [rate] 83 87470 N/A 0 System

Conns 35859 98666 280000 0 System

Xlates 266 919 N/A 0 System

Hosts 353 670 N/A 0 System

Conns [rate] 29 409 N/A 0 System

Inspects [rate] 11 57 N/A 0 System

Before disconnection happen ,I am getting following error

"SA-5-321001: Resource 'conns' limit of 280000 reached for system"

This is looks like a dos attack(pls correct me if I am wrong)I have done the follwoing steps to control the situation.

policy-map limit

class limit

set connection conn-max 1 embryonic-conn-max 1 per-client-max 1

set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00 dcd 0:00:01

Now my observation is

----------------------------------

When lookat Conns "ciurrent" figurres keep increasing but "peak" figures doensn't increase until "conns reach to 98666.

I would appriciate if anyone can tell me how to resolve this issue.

Is there any way to stop the increasing of "conns" figures??

many thanks

Julio Carvajal · ‎09-08-2013

Hello,

You are running multiple-context so when you do that you are sharing the entire resources between all of the contexts.

In this case you assign X amount of connections to that context and you have reach the limit,

So you could configure the ASA to provide more connections to that ASA (only if it's expected to receive that high amount of connections).

What you have done is basically restrict the amount of connections for that context (on this one you are allowing only one connection at the time, Is that what you are looking for? Cause it sounds really restrictive.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

WEERAKOO69BA · ‎09-08-2013

Thank you verymuch for your reply.This is given me a bit releif.

Frankly I don't have any contexts.I do need to control the connection somehow because it will reach to the max and freeze.

1)How can I overcome this issue without resctricting the connection?

2)by restriction the connection,will it badly afect to the performance?

3)how to configure more connection to the ASA.If this allow,will it vulnearable to the DOS attack??

Thanks

Julio Carvajal · ‎09-09-2013

1)Well there is nothing you can do to avoid DDoS attacks unless you determine which the offendings IP addresses are..

2)No, the opposite actually You will be increasing the performance as the ASA will not get overloaded.

3)You will need to determine what's a valid number of connections per hosts (Let's say you have an HTTP server on the internal subnet, you might want to be less restrictive with that server than with the internal laptops.)

After learning as much information about the problem you can go to the ISP side and let them know you are being attacked so the traffic does not even get into your link and drop your bandwith

Let me know what you think

Man, remember to always rate my posts

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC