Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

Troubleshooting syn flood attacks

Cisco Router, Firewall, VPN, SDM, ASA and Switch

Troubleshooting syn flood attacks

Postby chicagotech » Mon Jun 01, 2015 10:54 am

Situation: The has one Windows server 2008 as Remote Desktop server. Recently, the Remote users keep having a problem to access the server because the port is blocked. The RDP is enabled and they can login if the user tries a couple times. After the user login, he/she doesn't have any issues and he can keep the remote session forever. It is not network connectivity issue because consistent ping receives 100% reply. Whenever the port is blocked, our monitor send this alter "Connection to remote server on port 3389 failed with err=0". We have disabled the Windows firewall and Symantec Endpoint Protection, but that doesn't make any different.

Troubleshooting: This is syn flood attacks. Here is the information in how stopping syn flood attack using the ASA

http://www.cisco.com/c/en/us/td/docs/se ... imits.html

What we did is configure connection session max numbers, 5 in our example
config t
access-l tcp-syn permit tcp any host 10.0.0.132
access-l tcp-syn permit tcp any host 10.0.0.155
class-map tcp-syn
match access-list tcp-syn

policy-map global_policy
class tcp-syn
set connection per-client-embryonic-max 5
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6670
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Re: Troubleshooting syn flood attacks

Postby chicagotech » Mon Jun 01, 2015 11:04 am

Alternatively, you can create and ACL just allowing the public IP address of your clients when connecting to the servers so that way only your client can connect to it and would block the hackers.

This should be the syntax

Access-list ‘’name of the access list being used on the outside’’ line 1 permit tcp host x.x.158.186 host 10.0.0.132
Access-list ‘’name of the access list being used on the outside’’ line 2 permit tcp host x.x.158.186 host 10.0.0.155

And so forth

After you are done with the rest of the IP address you have to deny an ip any hosts
Example

Access-list ‘’name of the access list being used on the outside’’ line 50 permit tcp host x.x.80.82 host 10.0.0.155
Access-list ‘’name of the access list being used on the outside’’ line 51 deny tcp any host 10.0.0.155
Access-list ‘’name of the access list being used on the outside’’ line 51 deny tcp any host 10.0.0.132
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6670
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Re: Troubleshooting syn flood attacks

Postby chicagotech » Mon Jun 01, 2015 11:10 am

Since most remote users use dynamic IP addresses, it is not practice to add clients' public to the ASA firewall. The another resolution will be block the malicious IPs. To do that, please follow these instructions.

1. Whenever the issue happens can you get the next output from the ASA

Show local-host conn tcp 300 | inc host|count/limit

Or on the windows server the output of netstat get the list of host that show just SYN_RECEIVED.

2. These are the commands. 158.48.152.51 is malicious IP and 10.0.0.132 and 10.0.0.155 are private IP.
Access-list ''name of the access list being used on the outside'' line 1 deny tcp host 158.48.152.51 host 10.0.0.132
Access-list ‘’name of the access list being used on the outside’’ line 2 deny tcp host 158.48.152.51 host 10.0.0.155
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6670
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA


Return to Cisco

Your Ad Here

Who is online

Users browsing this forum: No registered users and 9 guests