Carl, Did you read my post before reply? floodguard enable DT Carl Newman wrote:Tran:
Have you turned on flood guard? This is a needed element before the embryonic thresh hold can be enabled. Carl -----Original Message----- From: d tran [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 25, 2003 3:41 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: How to stop SYN Flood with Pix firewall? Guys, I have the following scenario: I have a pix 520 firewall (750MHz with 512MB of RAM) in the lab. The "inside" interface is 10.100.0.254/24 and the "outside" interface is 172.16.1.253/24. I have a linux server residing on the "inside" network with IP 10.100.0.71 running Apache Server and it is NATed to the outside with IP 172.16.1.71. I would like to make this web server availabe to "outside" world. My pix configuration looks like this: static (inside,outside) 172.16.1.71 10.100.0.71 access-list 100 permit tcp any host 172.16.1.71 eq 80 access-list 100 deny ip any any access-group 100 in interface outside floodguard enable Now on the "outside" network I have two linux servers, (172.16.1.67 and 172.16.1.7), running hping2 program that is capable of generating a lot of "SYN" connection to address 172.16.1.71. Now, when I run the hping2 program, I am seeing the cpu utilization on the firewall reaching 99% like this: pix1(config)# sh cpu usage CPU utilization for 5 seconds = 99%; 1 minute: 98%; 5 minutes: 98% However, the connection is less than 200 pix1(config)# sh conn count 125 in use, 7926 most used Other machines on the 172.16.1.0/24 network have problem reaching the webserver, 172.16.1.71, when hping2 is bombarding the webserver with SYN Flood. Fair enough, I decided to modify the access-list 100 to limit both the maximum connections and "half-open" connections to 500 and 250, respectively, as follows: static (inside,outside) 172.16.1.71 10.100.0.71 255.255.255.255 500 250 and I do "clear xlate" after that. That didn't help. The cpu utilization is still 99% and machines on the "outside" network still have problems accessing the website. My question is this. How do I defend against SYN flood like this? From what I've heard, Cisco Pix has an improved TCP intercept to defend against SYN attack. Why is it not working in my case? To make the matter worse, the CPU also reaches 99% when hping2 SYN flood port 22 even though the firewall does not allow port 22 to 172.16.1.71. I am testing with both version 6.2(2) and 6.3(0) build 131 on this Pix520 firewall. I would like to know how to defend against not only SYN flood but also from other attacks. It looks to me like Pix is not doing its jobs. Regards, DT --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61885&t=61885 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
