Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2139
Views
0
Helpful
5
Replies

Suspected DDoS SYN-Flood attack

Phil Williamson
Level 1
Level 1

‎06-30-2011 08:42 AM - edited ‎03-11-2019 01:53 PM

ASA5520 v8.3(2) OS

I'm seeing connection bursts every 2 minutes to my internal SSH server

Conns during that time peak at > 1500/sec - normal is 100/sec

Inbound bandwidth usage goes from 4Mbit/sec to > 30Mbit/sec

CPU usage spikes above 60%

When I do a "show conn' the oustanding type looks like:

TCP outside AA.BB.CC.DD:11510 inside XXX.YYY.XXX.ZZZ:22, idle 0:00:00, bytes 0, flags aB

Note the 'bytes 0, flags aB'

What do I need to do to mitigate this?  I don't have an AIP-SSC in the 5520.

Thx

Labels:
0 Helpful
5 Replies 5

mvsheik123
Level 7
Level 7

‎06-30-2011 09:06 AM

Hi,

On ASA access rules, SSH is opened for the inside server from outside IPs? If so, is it restricted?

please see the below link that might provide some helpful information.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

hth

MS

0 Helpful

Phil Williamson
Level 1
Level 1
In response to mvsheik123

‎06-30-2011 09:26 AM

Yes, this is an unrestriced server.

I've tried the code in that link, previously and it does not seem to make any difference.

Thoughts?

Thx

PW

0 Helpful

mvsheik123
Level 7
Level 7
In response to Phil Williamson

‎06-30-2011 09:41 AM

Nope...;-) but I would move the server to DMZ, if possible. Also try clear the xlate for the server and see if that helps anything.

Thx

MS

0 Helpful

Phil Williamson
Level 1
Level 1
In response to mvsheik123

‎06-30-2011 09:51 AM

It is basically in a DMZ since it's the ony server behind the ASA.

Can't clear xlates - would being down 2K+ legit connections.

I did make a few changes to the code in your link:

!

class-map TCP_SYN

match port tcp eq ssh

!

policy-map TCPMAP

class TCP_SYN

  set connection conn-max 10000 embryonic-conn-max 200 per-client-max 25 per-client-embryonic-max 5

  set connection timeout half-closed 0:05:00 idle 1:00:00

!

service-policy TCPMAP interface outside

!

Questions:

Is the conn-max the # of conns allowed to my internal server of from any one external source?  Maybe I have this set too high?

Ditto for embryonic-conn-max, per-client-max and per-client-embryonic-max ??

Thx

0 Helpful

mvsheik123
Level 7
Level 7
In response to Phil Williamson

‎06-30-2011 10:19 AM

Hi,

The conn Max# and per client max# totally depends your infra requirements and how many the server can support (not sure if there any such restriction on server end). But I wouldn't allow any client to open more than 5 max connection and simutaneous conn max# 100-200. In otherwords, always starts from low number and if you there is any connectivity issues you can increase anytime.

hth

MS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card