WH | it system administration

winnis knowledge base

kb

Cisco ASA | DDoS flood protection

winni

How to prevent Cisco ASA from DDoS flooding.

I´ve found a very good rule-set at a cisco Forum and modified them for my needs.

Example via Cisco ASA CLI:

class-map CONNS-MAP

match any

policy-map CONNS-POLICY

class CONNS-MAP

set connection conn-max 1000 embryonic-conn-max 1000 per-client-max 300 per-client-embryonic-max 300

set connection timeout embryonic 0:05:00 half-closed 0:05:00 tcp 0:05:00 dcd

!

service-policy CONNS-POLICY interface outside

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address myip 255.255.255.255

threat-detection scanning-threat shun except ip-address xxx.xxx.xxx.0 255.255.255.0

threat-detection scanning-threat shun except ip-address xxx.xxx.xxx.xxx 255.255.255.255

threat-detection scanning-threat shun except ip-address insideserverip 255.255.255.255

threat-detection scanning-threat shun duration 3600

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept
!

In the first section you set the maximum Connections. This you can also configure in ASDM under Configuration –> Firewall –> Service Policy Rules

Information:

Embryonic (Half-opened) connection: An embryonic connection is a TCP connection request that has not finished the necessary handshake between source and destination. [H]:[min]:[sec]

Half-closed connection: A Half closed connection is when the connection is only closed in one direction by sending FIN. However, TCP session is still maintained by peer. [H]:[min]:[sec]

Per-client-embryonic-max: The maximum number of  simultaneous embryonic connections allowed per client, between 0 and 65535. The default is 0, which allows unlimited connections.

Per-client-max: The maximum number of simultaneous connections allowed per client, between 0 and 65535. The default is 0, which allows unlimited Connections.

In the second section you can define networks which are excluded from threat detection. For example all you inside networks or any other outside monitoring ip. In ASDM you can find this under Configuration –> Firewall –> Threat Detection

Good luck and happy protection

You May Also Like

Cisco ASA | ASDM Certificate SelfSigned

winni

Cisco ASA | show shared secret

winni

Cisco ESA/WSA | Filezilla settings

winni