I am not sure how many Packets/Sec hping2 generate but I don't think 100BaseT was saturated because the whole thing is connected to a Cisco 2924-XL Enterprise switch (running 12.05(T)) IOS. Furthermore, while machines on 172.16.1.0/24 network have problem connecting to the linux web server via NATed address 172.16.1.71, they have NO problems surfing the Internet or any other network. In fact, I am writing you this email as my other two linux servers are sending SYN flood to the web server and the CPU on the Pix firewall is at 99%. You wouldn't have to fight the udp 1434 problem had you decided to scrap the shitty MS SQL server, running on crappy Windows machine and replace it MySQL (freeware) or real commercial database products like Oracle, running on Linux platform. Enjoy fighting udp1434. LOL DT Przemyslaw Karwasiecki wrote:How many packet per second hping2 generates?
If it saturates 100BaseT, maybe you had just reached performance limit of PIX520? I am not trying to say that PIX will not handle traffic in proximity of 150,000-200,000 pps. I simply don't know that. But, if it needs to analyze 150,000 SYN packets per second, I can easily imagine that it will crawl. BTW -- very interesting experiment. Przemek (fighting with udp 1434 now) On Sat, 2003-01-25 at 16:40, d tran wrote: > Guys, > > I have the following scenario: > > I have a pix 520 firewall (750MHz with 512MB of RAM) in the lab. The "inside" > > interface is 10.100.0.254/24 and the "outside" interface is 172.16.1.253/24. > > I have a linux server residing on the "inside" network with IP 10.100.0.71 running > > Apache Server and it is NATed to the outside with IP 172.16.1.71. I would like > > to make this web server availabe to "outside" world. My pix configuration looks > > like this: > > static (inside,outside) 172.16.1.71 10.100.0.71 > > access-list 100 permit tcp any host 172.16.1.71 eq 80 > > access-list 100 deny ip any any > > access-group 100 in interface outside > > floodguard enable > > Now on the "outside" network I have two linux servers, (172.16.1.67 and 172.16.1.7), > > running hping2 program that is capable of generating a lot of "SYN" connection to > > address 172.16.1.71. Now, when I run the hping2 program, I am seeing the cpu > > utilization on the firewall reaching 99% like this: > > pix1(config)# sh cpu usage > CPU utilization for 5 seconds = 99%; 1 minute: 98%; 5 minutes: 98% > > However, the connection is less than 200 > > pix1(config)# sh conn count > 125 in use, 7926 most used > > Other machines on the 172.16.1.0/24 network have problem reaching the webserver, > > 172.16.1.71, when hping2 is bombarding the webserver with SYN Flood. > > Fair enough, I decided to modify the access-list 100 to limit both the maximum > > connections and "half-open" connections to 500 and 250, respectively, as follows: > > static (inside,outside) 172.16.1.71 10.100.0.71 255.255.255.255 500 250 > > and I do "clear xlate" after that. > > That didn't help. The cpu utilization is still 99% and machines on the "outside" > > network still have problems accessing the website. > > My question is this. How do I defend against SYN flood like this? From what I've > > heard, Cisco Pix has an improved TCP intercept to defend against SYN attack. > > Why is it not working in my case? To make the matter worse, the CPU also > > reaches 99% when hping2 SYN flood port 22 even though the firewall does not allow > > port 22 to 172.16.1.71. > > I am testing with both version 6.2(2) and 6.3(0) build 131 on this Pix520 firewall. > > I would like to know how to defend against not only SYN flood but also from other > > attacks. It looks to me like Pix is not doing its jobs. > > Regards, > > DT > > > > > > > > --------------------------------- > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61891&t=61891 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]