The parameter to do this on a given static statement is for embryonic
connections... (an unanswered SYN)
static [(prenat_interface, postnat_interface)]{mapped_address| interface}
real_address [dns] [netmask mask] [norandomseq] [connection_limit] [em_limit]]
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#1026694
-----Original Message-----
From: "d tran"
To: [EMAIL PROTECTED]
Date: Sat, 25 Jan 2003 21:41:09 GMT
Subject: How to stop SYN Flood with Pix firewall? [7:61875]
Guys,
I have the following scenario:
I have a pix 520 firewall (750MHz with 512MB of RAM) in the lab. The
"inside"
interface is 10.100.0.254/24 and the "outside" interface is
172.16.1.253/24.
I have a linux server residing on the "inside" network with IP 10.100.0.71
running
Apache Server and it is NATed to the outside with IP 172.16.1.71. I would
like
to make this web server availabe to "outside" world. My pix configuration
looks
like this:
static (inside,outside) 172.16.1.71 10.100.0.71
access-list 100 permit tcp any host 172.16.1.71 eq 80
access-list 100 deny ip any any
access-group 100 in interface outside
floodguard enable
Now on the "outside" network I have two linux servers, (172.16.1.67 and
172.16.1.7),
running hping2 program that is capable of generating a lot of "SYN"
connection to
address 172.16.1.71. Now, when I run the hping2 program, I am seeing the
cpu
utilization on the firewall reaching 99% like this:
pix1(config)# sh cpu usage
CPU utilization for 5 seconds = 99%; 1 minute: 98%; 5 minutes: 98%
However, the connection is less than 200
pix1(config)# sh conn count
125 in use, 7926 most used
Other machines on the 172.16.1.0/24 network have problem reaching the
webserver,
172.16.1.71, when hping2 is bombarding the webserver with SYN Flood.
Fair enough, I decided to modify the access-list 100 to limit both the
maximum
connections and "half-open" connections to 500 and 250, respectively, as
follows:
static (inside,outside) 172.16.1.71 10.100.0.71 255.255.255.255 500 250
and I do "clear xlate" after that.
That didn't help. The cpu utilization is still 99% and machines on the
"outside"
network still have problems accessing the website.
My question is this. How do I defend against SYN flood like this? From what
I've
heard, Cisco Pix has an improved TCP intercept to defend against SYN attack.
Why is it not working in my case? To make the matter worse, the CPU also
reaches 99% when hping2 SYN flood port 22 even though the firewall does not
allow
port 22 to 172.16.1.71.
I am testing with both version 6.2(2) and 6.3(0) build 131 on this Pix520
firewall.
I would like to know how to defend against not only SYN flood but also from
other
attacks. It looks to me like Pix is not doing its jobs.
Regards,
DT
---------------------------------
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61879&t=61875
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
