Mitigating DoS attacks on a Cisco ASA

Within this example we will configure modular policy framework to define a range of connection limits. This provides a basic means of protecting your environment against DoS attacks.

Define Traffic

First of all we define which traffic the MPF policy will be applied to. In the example below we exclude the host whilst inspecting all other traffic.

cisco-asa(config)# access-list mpf-policy-acl extended deny ip host any
cisco-asa(config)# access-list mpf-policy-acl extended permit ip any any

Create Class-map

Next we assign the previously created access-list to a class-map.

cisco-asa(config)# class-map mpf-policy
cisco-asa(config-cmap)# match access-list mpf-policy-acl
cisco-asa(config-cmap)# exit

Create Policy-map

Then a policy-map is created and the necessary connection limits defined.

cisco-asa(config)# policy-map mpf-policy-map
cisco-asa(config-pmap)# class mpf-policy
cisco-asa(config-pmap-c)# set connection conn-max 9500
cisco-asa(config-pmap-c)# set connection embryonic-conn-max 5000
cisco-asa(config-pmap-c)# set connection per-client-embryonic-max 100
cisco-asa(config-pmap-c)# set connection per-client-max 75
cisco-asa(config-pmap-c)# exit
cisco-asa(config-pmap)# exit

Assign to Interface

Finally the policy map is assigned against a service-policy and interface

cisco-asa(config)# service-policy mpf-policy-map interface outside


Note around TCP Intercept

When configuring embryonic connections either via MPF (or within the NAT statement) at the point the threshold is reached TCP Intercept is enabled. This feature then :

  1. intercepts the initial SYN from going to the backend server, and only forwards the connection once the 3-way handshake is complete,
  2. builds a SYN cookie based on head information within the packet, and a password (only known to the ASA). Which is uses as a sequence number within the SYN-ACK. This method means no resources (i.e the connection table) are used to store the half open connection.

Note around connection limits

Its also good to know when applying connection limits within a policy map that it only applies to fully established connections. Meaning should one side half close the connection (i.e with a FIN), such as the attacker, then these (half closed) connections would not count within the current connection count within MPF. In turn allowing further connections could be sent through the firewall.

This only really presents an issue with poorly built applications, where the server side does not close its side of the connection and in most cases this caveat doesn't present an issue.

Tags: ASA

About the Author


R Donato

Rick Donato is the Founder and Chief Editor of He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001