Mitigating DoS attacks on a Cisco ASA
Within this example we will configure modular policy framework to define a range of connection limits. This provides a basic means of protecting your environment against DoS attacks.
First of all we define which traffic the MPF policy will be applied to. In the example below we exclude the host 188.8.131.52 whilst inspecting all other traffic.
cisco-asa(config)# access-list mpf-policy-acl extended deny ip host 184.108.40.206 any
cisco-asa(config)# access-list mpf-policy-acl extended permit ip any any
Next we assign the previously created access-list to a class-map.
cisco-asa(config)# class-map mpf-policy
cisco-asa(config-cmap)# match access-list mpf-policy-acl
Then a policy-map is created and the necessary connection limits defined.
cisco-asa(config)# policy-map mpf-policy-map
cisco-asa(config-pmap)# class mpf-policy
cisco-asa(config-pmap-c)# set connection conn-max 9500
cisco-asa(config-pmap-c)# set connection embryonic-conn-max 5000
cisco-asa(config-pmap-c)# set connection per-client-embryonic-max 100
cisco-asa(config-pmap-c)# set connection per-client-max 75
Assign to Interface
Finally the policy map is assigned against a service-policy and interface
cisco-asa(config)# service-policy mpf-policy-map interface outside
Note around TCP Intercept
When configuring embryonic connections either via MPF (or within the NAT statement) at the point the threshold is reached TCP Intercept is enabled. This feature then :
- intercepts the initial SYN from going to the backend server, and only forwards the connection once the 3-way handshake is complete,
- builds a SYN cookie based on head information within the packet, and a password (only known to the ASA). Which is uses as a sequence number within the SYN-ACK. This method means no resources (i.e the connection table) are used to store the half open connection.
Note around connection limits
Its also good to know when applying connection limits within a policy map that it only applies to fully established connections. Meaning should one side half close the connection (i.e with a FIN), such as the attacker, then these (half closed) connections would not count within the current connection count within MPF. In turn allowing further connections could be sent through the firewall.
This only really presents an issue with poorly built applications, where the server side does not close its side of the connection and in most cases this caveat doesn't present an issue.