Resolution

For any Denial of Service (DoS) attack, it is always advisable to block the traffic as close to the source that generates the attack.

As a workaround, create an access-list if the port or the IP that generates the attack is known.

In PIX Software version 5.2 and later, the TCP Intercept feature can help protect internal servers from DoS attacks. This feature allows the user to configure the maximum number of connections allowed to an internal server and the maximum number of embryonic connections to a server. Embryonic connections are connections that have not completed the TCP three-way handshake.

If the embryonic connection limit is reached, the PIX Firewall responds to every SYN packet sent to the server with a SYN+ACK, and does not pass the SYN packet to the internal server. If the external device responds with an ACK packet, then the PIX knows it is a valid request (and not part of a SYN attack). The PIX then establishes a connection with the server and joins the connections together. If the PIX does not get an ACK back from the server, it aggressively times out that embryonic connection.

The Max Connection option can also be set. Once this threshold is reached, the PIX does not allow any new connections to the server until the active connections drop below this number.

The syntax for this feature is:

static [(prenat_interface, postnat_interface)] {mapped_address | interface} real_address [dns] [netmask mask] [norandomseq] [connection_limit [em_limit]]