cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1979
Views
0
Helpful
5
Replies
Phil Williamson
Beginner

Suspected DDoS SYN-Flood attack

ASA5520 v8.3(2) OS

I'm seeing connection bursts every 2 minutes to my internal SSH server

Conns during that time peak at > 1500/sec - normal is 100/sec

Inbound bandwidth usage goes from 4Mbit/sec to > 30Mbit/sec

CPU usage spikes above 60%

When I do a "show conn' the oustanding type looks like:

TCP outside AA.BB.CC.DD:11510 inside XXX.YYY.XXX.ZZZ:22, idle 0:00:00, bytes 0, flags aB

Note the 'bytes 0, flags aB'

What do I need to do to mitigate this?  I don't have an AIP-SSC in the 5520.

Thx

5 REPLIES 5
mvsheik123
Rising star

Hi,

On ASA access rules, SSH is opened for the inside server from outside IPs? If so, is it restricted?

please see the below link that might provide some helpful information.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

hth

MS

Yes, this is an unrestriced server.

I've tried the code in that link, previously and it does not seem to make any difference.

Thoughts?

Thx

PW

Nope...;-) but I would move the server to DMZ, if possible. Also try clear the xlate for the server and see if that helps anything.

Thx

MS

It is basically in a DMZ since it's the ony server behind the ASA.

Can't clear xlates - would being down 2K+ legit connections.

I did make a few changes to the code in your link:

!

class-map TCP_SYN

match port tcp eq ssh

!

policy-map TCPMAP

class TCP_SYN

  set connection conn-max 10000 embryonic-conn-max 200 per-client-max 25 per-client-embryonic-max 5

  set connection timeout half-closed 0:05:00 idle 1:00:00

!

service-policy TCPMAP interface outside

!

Questions:

Is the conn-max the # of conns allowed to my internal server of from any one external source?  Maybe I have this set too high?

Ditto for embryonic-conn-max, per-client-max and per-client-embryonic-max ??

Thx

Hi,

The conn Max# and per client max# totally depends your infra requirements and how many the server can support (not sure if there any such restriction on server end). But I wouldn't allow any client to open more than 5 max connection and simutaneous conn max# 100-200. In otherwords, always starts from low number and if you there is any connectivity issues you can increase anytime.

hth

MS

Create
Recognize Your Peers
Content for Community-Ad