| Starting with PIX Software version 5.2, the TCP Intercept feature can help protect internal servers from DoS attacks. This feature allows the user to configure the maximum number of connections allowed to an internal server and the maximum number of embryonic connections (ones that have not completed the TCP three-way handshake) to a server.
If the embryonic connection limit is reached, then the PIX responds to every SYN packet sent to the server with a SYN+ACK, and does not pass the SYN packet to the internal server. If the external device responds with an ACK packet, then the PIX knows it is a valid request (and not part of a SYN attack). The PIX then establishes a connection with the server and joins the connections together. If the PIX does not get an ACK back from the server, it aggressively times out that embryonic connection.
The Max Connection option can also be set. Once this threshold is reached, the PIX will not allow any new connections to the server until the active connections drop below this number.
The syntax for this feature is shown below.
static [(prenat_interface, postnat_interface)] {mapped_address|interface} real_address [dns]
[netmask mask] [norandomseq] [connection_limit [em_limit]]
Example
static (inside, outside) 192.168.1.45 10.1.1.45 netmask 255.255.255.255 0 120
In the above example, the embryonic limit is set to 120 and there is no Max Connection limit set. Most Windows platforms allow a maximum of 128 embryonic connections, so when setting the embryonic limit on the static, use a value less than the maximum embryonic limit allowed by the server operating system. |
