Within this example we will configure modular policy framework to define a range of connection limits. This provides a basic means of protecting your environment against DoS attacks.
Table of Contents
Define Traffic
First of all we define which traffic the MPF policy will be applied to. In the example below we exclude the host 8.8.8.8 whilst inspecting all other traffic.
cisco-asa(config)# access-list mpf-policy-acl extended deny ip host 8.8.8.8 any
cisco-asa(config)# access-list mpf-policy-acl extended permit ip any any
Create Class-map
Next we assign the previously created access-list to a class-map.
cisco-asa(config)# class-map mpf-policy
cisco-asa(config-cmap)# match access-list mpf-policy-acl
cisco-asa(config-cmap)# exit
Create Policy-map
Then a policy-map is created and the necessary connection limits defined.
cisco-asa(config)# policy-map mpf-policy-map
cisco-asa(config-pmap)# class mpf-policy
cisco-asa(config-pmap-c)# set connection conn-max 9500
cisco-asa(config-pmap-c)# set connection embryonic-conn-max 5000
cisco-asa(config-pmap-c)# set connection per-client-embryonic-max 100
cisco-asa(config-pmap-c)# set connection per-client-max 75
cisco-asa(config-pmap-c)# exit
cisco-asa(config-pmap)# exit
Assign to Interface
Finally the policy map is assigned against a service-policy and interface
cisco-asa(config)# service-policy mpf-policy-map interface outside
Note around TCP Intercept
When configuring embryonic connections either via MPF (or within the NAT statement) at the point the threshold is reached TCP Intercept is enabled. This feature then :
- intercepts the initial SYN from going to the backend server, and only forwards the connection once the 3-way handshake is complete,
- builds a SYN cookie based on head information within the packet, and a password (only known to the ASA). Which is uses as a sequence number within the SYN-ACK. This method means no resources (i.e the connection table) are used to store the half open connection.
Note around connection limits
Its also good to know when applying connection limits within a policy map that it only applies to fully established connections. Meaning should one side half close the connection (i.e with a FIN), such as the attacker, then these (half closed) connections would not count within the current connection count within MPF. In turn allowing further connections could be sent through the firewall.
This only really presents an issue with poorly built applications, where the server side does not close its side of the connection and in most cases this caveat doesn’t present an issue.
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial