3.5 Ensure DOS protection is enabled for untrusted interfaces

Information

Determines the maximum connections, maximum embryonic connections, maximum connections per client and maximum embryonic connections per client that can be accepted on the outside interface

Rationale:

Limiting the number of connections protects from a DoS attack. The ASA uses the per-client limits and the embryonic connection limits to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the server SYN queue full, which prevents it from servicing connection requests.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Step 1: Acquire the enterprise standard values for maximum connections, maximum embryonic connections, maximum connections per client and maximum embryonic connections per client

Step 2: Run the following to configure the class to identify the traffic on which DOS protection should be performed.

hostname(config)# class-map <class_name>
hostname(config-cmap)# match any

Step 3: Run the following to configure the policy that will determine the maximum connections to be applied on the class previously configured

hostname(config)# policy-map <policy_name>
hostname(config-pmap)# class <class_name>
hostname(config-pmap-c)# set connection conn-max <enterprise_max_number>
hostname(config-pmap-c)# set connection embryonic-conn-max <enterprise_max_number>
hostname(config-pmap-c)# set connection per-client-embryonic-max <enterprise_max_number>
hostname(config-pmap-c)# set connection per-client-max <enterprise_max_number>

The enterprise_max_number parameter is to be taken between 0 and 65535.

Step 4: Run the following to apply the policy previously configured on the untrusted

hostname(config-pmap-c)# service-policy <policy_name> interface <untrusted_interface_name>

Default Value:

The default maximum value is 0 meaning there is no limitation

See Also

https://workbench.cisecurity.org/benchmarks/7194

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|11.1

Plugin: Cisco

Control ID: beb1f677ebb8b0e0ef499608d818ff5e02d8f8e9ee84186abde5df2c3c52d3a5