Hi there,
One of my customers are facing a DDoS attack on their email servers. I am in charge of ASA config.
Here is what I have done so far and it was not very effective:
tcp-map LimitEmail
check-retransmission
checksum-verification
exceed-mss drop
reserved-bits drop
syn-data drop
tcp-options window-scale clear
window-variation drop-connection
class-map LimitEmail
match access-list LimitEmail
## Created the ACL accordingly ##
policy-map LimitEmail
class LimitEmail
set connection embryonic-conn-max 2 per-client-max 1 per-client-embryonic-max 1 random-sequence-number disable
set connection timeout embryonic 0:00:05 half-closed 0:05:00 tcp 0:05:00 dcd 0:00:05 5
set connection advanced-options LimitEmail
Besides this configs, threat-detection is configured as below:
threat-detection basic-threat
threat-detection scanning-threat shun except object-group dmz_net ! (dmz servers only)
threat-detection scanning-threat shun duration 2592000
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
The attack opens normal connections without a standard. This box (ASA 5520) has no modules and is running version 8.2(1). I was planning to upgrade to a newer version (8.4), however, after reading the release notes and the migration steps, the customer decided not to do so.
Do you have any other recommended action considering these resources?
PS: The border router is running BGPv4 and there is an ACL blocking some IP ranges.
Best regards,
Marcelo Pinheiro
