Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1825
Views
0
Helpful
3
Replies

E-mail Blast Causing ASA5510 To Reach Maximum Concurrent Connections

petes
Level 1
Level 1

‎12-23-2010 07:05 AM - edited ‎03-11-2019 12:27 PM

I've got a 5510 that is reaching the 130,000 max concurrent connections limit and shutting down access to any traffic trying to traverse the firewall.  I've isolated it down to a third party company we use to send out broadcast marketing e-mails.  We are sending roughly 30,000 to 75,000 e-mails with this provider.  Whenever they send out the e-mails, my DNS servers are inundated with DNS queries and subsequently max out the firewall connections.  What is strange is that if I send out 75,000 e-mails, if each e-mail went to a unique MTA then I would expect to see 75,000 DNS requests to our servers for SPF records.  Somehow I'm seeing much more.  Our normal connection count is between 7,000 and 11,000 concurrent connections.  This basically presents itself as a distributed denial of service attack on our DNS servers.

I could limit the number of connections to our DNS servers but I'm worried that I might starve legitimate requests once the connection limit has been met.  Does anyone have any ideas how I can prevent the max concurrent connection limit from being met?

Thanks for any help you can provide

Labels:
0 Helpful
3 Replies 3

mirober2
Cisco Employee
Cisco Employee

‎12-23-2010 08:30 AM

Hi Pete,

You can try using the per-client-max connection limits for your DNS servers if some hosts are creating many connections. However, if it's a large burst of traffic from many different IPs that each only open a small handful of connections, this probably won't help much. For that case, you'll need to limit these connections somewhere farther upstream from the ASA.

Here is the command reference for 'set connection per-client-max':

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045

access-list limit_dns permit ip any host 
class-map limit_dns_class 
    match access-list limit_dns
policy-map limit_dns_policy
    class limit_dns_class
         set connection per-client-max 5
service-policy limit_dns_policy interface outside

Hope that helps.

-Mike

0 Helpful

petes
Level 1
Level 1
In response to mirober2

‎12-23-2010 09:01 AM

Thanks for the reply Mike.  I'm beginning to think that my DNS servers are being overloaded and not answering all qu

ery requests.  If that is the case then perhaps the device that didn't get it's query answered would

send another request and possibly take up another firewall connection.

If I want to limit connections from any device to my specific

DNS server would I use an ACL like "access-list LimitConnectionsToDNS extended permit ip any host 1.1.1.1" and then set the max connections tied to this list?  Basically I want to limit lets say 50,000 connections to a single DNS server and then have 80,000 available for other traffic because my DNS server is not allowed to use more than 50,000.  DNS request will just have to wait until connections to the DNS server drop below 50k.

What do you think?

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to petes

‎12-23-2010 09:50 AM

Hi Pete,

In that case, you can use the same config example I provided in my last post but change the 'per-client-max 5' to 'conn-max 50000'. This will limit the number of established connections to the server referenced in the ACL to 50,000. Give it a try and let us know how it goes.

Hope that helps.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card