How many packet per second hping2 generates? If it saturates 100BaseT, maybe you had just reached performance limit of PIX520?
I am not trying to say that PIX will not handle traffic in proximity of 150,000-200,000 pps. I simply don't know that. But, if it needs to analyze 150,000 SYN packets per second, I can easily imagine that it will crawl. BTW -- very interesting experiment. Przemek (fighting with udp 1434 now) On Sat, 2003-01-25 at 16:40, d tran wrote: > Guys, > > I have the following scenario: > > I have a pix 520 firewall (750MHz with 512MB of RAM) in the lab. The "inside" > > interface is 10.100.0.254/24 and the "outside" interface is 172.16.1.253/24. > > I have a linux server residing on the "inside" network with IP 10.100.0.71 running > > Apache Server and it is NATed to the outside with IP 172.16.1.71. I would like > > to make this web server availabe to "outside" world. My pix configuration looks > > like this: > > static (inside,outside) 172.16.1.71 10.100.0.71 > > access-list 100 permit tcp any host 172.16.1.71 eq 80 > > access-list 100 deny ip any any > > access-group 100 in interface outside > > floodguard enable > > Now on the "outside" network I have two linux servers, (172.16.1.67 and 172.16.1.7), > > running hping2 program that is capable of generating a lot of "SYN" connection to > > address 172.16.1.71. Now, when I run the hping2 program, I am seeing the cpu > > utilization on the firewall reaching 99% like this: > > pix1(config)# sh cpu usage > CPU utilization for 5 seconds = 99%; 1 minute: 98%; 5 minutes: 98% > > However, the connection is less than 200 > > pix1(config)# sh conn count > 125 in use, 7926 most used > > Other machines on the 172.16.1.0/24 network have problem reaching the webserver, > > 172.16.1.71, when hping2 is bombarding the webserver with SYN Flood. > > Fair enough, I decided to modify the access-list 100 to limit both the maximum > > connections and "half-open" connections to 500 and 250, respectively, as follows: > > static (inside,outside) 172.16.1.71 10.100.0.71 255.255.255.255 500 250 > > and I do "clear xlate" after that. > > That didn't help. The cpu utilization is still 99% and machines on the "outside" > > network still have problems accessing the website. > > My question is this. How do I defend against SYN flood like this? From what I've > > heard, Cisco Pix has an improved TCP intercept to defend against SYN attack. > > Why is it not working in my case? To make the matter worse, the CPU also > > reaches 99% when hping2 SYN flood port 22 even though the firewall does not allow > > port 22 to 172.16.1.71. > > I am testing with both version 6.2(2) and 6.3(0) build 131 on this Pix520 firewall. > > I would like to know how to defend against not only SYN flood but also from other > > attacks. It looks to me like Pix is not doing its jobs. > > Regards, > > DT > > > > > > > > --------------------------------- > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61892&t=61892 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
