I put 40000 for max_conns and 100 for emb_limit. I haven't got any hard
evidence that this is the best way for a webserver, but it works ;)
emb_limit just limits how many connections are held that have not completed
the TCP 3-way handshake, thereby stopping SYN attacks from reaching the
server. Once emb_limit is reached, subsequent attempts are dropped until
timeout is reached on other held connections. Subsequent connections from
that source IP will be dropped to keep it from keeping emb_limit full.
Otherwise you'd have a DOS of your own making just from setting this value.
If you wanted to truly set this at realistic values you would have to do
some testing to see what normal embryonic connection values you have during
peak hours under normal circumstances. Just my way of thinking, but I'd add
about 50% - 200% to that value just in case you get a sudden influx of
legitimate users trying to access the server. Keep an eye on log files for
the server (assuming it's a web server and you log this information). In
IIS and Apache it will tell you how many users dropped connection, gave up
before it loaded, etc if you have a log file analyzer (I use ANALOG - it's
free). Obviously setting this too low could make end users fairly angry.
;)
Again, IMHO, Max_conns should be set to whatever you believe the max # of
simultaneous users your server can handle. The only way to get a true
feeling for what this is would be to download some software to test the
limits of your server. I know there are some free ones out there but I
haven't used any myself. Web development took care of that for me. ;)
Sooo...umm...I guess you could say there really isn't an answer that applies
to everyone. Obviously someone like yahoo.com would have much higher
numbers on both settings compared to Joe Blow's web page on raising
hampsters.
Did I help? Confuse? Either way I accomplished something on only 1 cup of
coffee ;) (by the way, that's a disclaimer for any inadvertant idiotic
comments made above). The opinions of my fingers and tired brain are not
necessarily my own.
Allen
----- Original Message -----
From: "Bill Carter"
To:
Sent: Thursday, August 30, 2001 7:53 PM
Subject: PIX static command and em_limit - SYN attack [7:17994]
> I am installing a PIX. In the static commands the last switch is for the
> limit on embryonic connects.
>
> static (DMZ,outside) X.X.X.15 192.168.1.13 netmask 255.255.255.255 0 0
> Every sample configuration I have seen leaves this value at 0. I hate to
> bring logic into this but, logic tells me that I would want to put a limit
> on embryonic sessions to protect against SYN attacks. What is a
reasonable
> limit to put on this balancing security and availability? 20, 100, 500?
>
> What value do you use in real world implementations???
>
>
> >From CCO: watch the wrap.
>
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/com
> mands.htm#xtocid1006867
>
> The embryonic connection limit. An embryonic connection is one that has
> started but not yet completed. Set this limit to prevent attack by a flood
> of embryonic connections. The default is 0, which means unlimited
> connections
>
>
> ^-^-^-^-^-^-^-^-^-^-^
> Bill Carter
> CCIE 5022
> ^-^-^-^-^-^-^-^-^-^-^
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=18104&t=17994
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
