Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
3201
Views
0
Helpful
0
Comments

How to configure TCP intercept or block denial of service (DoS) attacks on the PIX Firewall

TCC_2
Level 10
Level 10

‎06-22-2009 03:36 PM - edited ‎03-08-2019 06:08 PM

What is Denial of Service (DOS)?


Denial of service (DoS) usually refers to an attack that attempts to make a computer resource unavailable to the users by flooding the network or server with requests and data. When there is DOS the end users are not ab;e to use their application like email and other network resources.

There is one more form of DoS which is known as Distributed Denial of Service (DDoS).


Core issue

Protect internal servers from a denial-of-service (DoS) attack.

Resolution

Starting with PIX Software version 5.2, the TCP Intercept feature can help protect internal servers from DoS attacks. This feature allows the user to configure the maximum number of connections allowed to an internal server and the maximum number of embryonic connections (ones that have not completed the TCP three-way handshake) to a server.

If the embryonic connection limit is reached, then the PIX responds to every SYN packet sent to the server with a SYN+ACK, and does not pass the SYN packet to the internal server.

If the external device responds with an ACK packet, then the PIX knows it is a valid request (and not part of a SYN attack). The PIX then establishes a connection with the server and joins the connections together. If the PIX does not get an ACK back from the server, it aggressively times out that embryonic connection.

The Max Connection option can also be set. Once this threshold is reached, the PIX will not allow any new connections to the server until the active connections drop below this number.

The syntax for this feature is shown below.

static [(prenat_interface, postnat_interface)] {mapped_address|interface} real_address [dns]
[netmask mask] [norandomseq] [connection_limit [em_limit]]

Example

static (inside, outside) 192.168.1.45 10.1.1.45 netmask 255.255.255.255 0 120

In the above example, the embryonic limit is set to 120 and there is no Max Connection limit set. Most Windows platforms allow a maximum of 128 embryonic connections, so when setting the embryonic limit on the static, use a value less than the maximum embryonic limit allowed by the server operating system.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents