SYNfloods and PIX

[wallace]

Does anyone know if the PIX has any built-in security controls to lessen the impact of Denial of Service attacks? If so, is there anything one can do to configure or adjust these controls? Thanks.

 

[berford]

SYNs are sent by a peer trying to open an TCP session on a device. The PIX doesn't accept SYNs on it's outside interface. It just drops them. The only way you get in to a PIX from the outside is via IPSec. The PIX is listening on the outside on the IPSec ports.

 

[wallace]

Berford:

I'm afraid I wasn't clear enough. (Sorry about that.) Actually, I'm asking about controls the PIX may have to protect server that are on the inside from SYNflood attacks emanating from the outside. For example, Checkpoint has a capability that they call SYNdefender that does this through either a more passive or active intervention.

Thanks

 

[8dstaicu]

static [(internal_if_name, external_if_name)] {tcp|udp}
{<global_ip>|interface} <global_port>
<local_ip> <local_port> [netmask <mask>]
[<max_conns> [<emb_limit>]]

Works good only in Pix 6.
Put a non 0 (zero) value to the <max_conns> and <emb_limit>.
And Pix will intercept SYN attacks.
Beware when you choose the values.
I put 40000 for max_conns and 100 for emb_limit.

 

[berford]

Expanding on what 8dstaicu posted the embryonic (emb) limit is the number of conncetions that have not yet completed the TCP 3 way handshake that the PIX allows. The connection (Conn) limit is the actual number of connections. These are both arguments to the static command.

How they are set depends on the capabilities of the server behind the PIX. I've found the PIX defaults are low for an average Linux / Apache server.