Stacy,
The max connections argument (max_conns) to the nat or static command
defines the maximum number
of connections permitted through the nat or static at the same time.
The embryonic connection limit (em_limit) of a nat or static connection
defines the number of embryonic
connections; were an embryonic connection is defined as one that has
started but not yet completed (i.e.
no three way handshake). This limit is set so as to prevent attack by a
flood of embryonic connections.
The default is 0, which means allow unlimited connections.
PIX v5.2 got the TCP Intercept feature. Prior to version 5.2, PIX Firewall
offered no mechanism (other
than max_conns or em_limit) to protect systems reachable via nat or a
static and TCP conduit from TCP
SYN attacks. Prior to v5.2, if an embryonic connection limit was
configured in a static command
statement, PIX Firewall simply dropped new connection attempts once the
embryonic threshold was reached.
Given this, a modest attack could stop an institution's Web traffic. For
static command statements
without an embryonic connection limit, PIX Firewall passes all traffic. If
the affected system does not have
TCP SYN attack protection (most host operating systems do not offer sufficient
protection) then the affected system's embryonic connection table overloads
and all traffic stops.
With the new TCP intercept feature, once the optional embryonic connection
limit is reached, and
until the embryonic connection count falls below this threshold, every SYN
bound for the affected
server is intercepted. For each SYN, PIX Firewall responds on behalf of the
server with an empty SYN/ACK segment. PIX Firewall retains pertinent state
information, drops the
packet, and waits for the client's acknowledgement. If the ACK is received,
then a copy of the client's
SYN segment is sent to the server and the TCP three-way handshake is
performed between PIX
Firewall and the server. If and only if, this three-way handshake
completes, may the connection
resume as normal. If the client does not respond during any part of the
connection phase,
then PIX Firewall retransmits the necessary segment using exponential
back-offs.
This feature requires no change to the PIX Firewall command set, only that
the embryonic
connection limit on the static command now has a new behavior.
In order to check to make sure this feature is working correctly you need
to look at the "show
xlate" and "show local-host" commands. You can use this information to
determine what is happening at
your own PIX and adjust the values accordingly.
The show xlate command displays the contents of only the translation slots
("xlate" means
translation slot.).
show xlate
Global <global_ip> Local <local_ip> static nconns <value> econns <value>
There is a command "clear xlate" which clears all the xlate slots in
PIX. Use this command
carefully as all xlates then need to be rebuilt.
show local-host
The show local-host command lets you view the network states of local
hosts. Local hosts are any
hosts on the same subnet as an internal PIX Firewall interface (not the
outside interface). Hosts
beyond the next hop routers are not affected by this command.
This command lets you show the translation and connection slots for the
local hosts, or stop all
traffic on these hosts (via clear local-host). This command provides
information for hosts configured
with the nat 0 command when normal translation and connection states may
not apply.
Note: Clearing the network state of a local host (clear local-host) stops
all connections and
xlates associated with the local hosts.
Examples
The following is sample output from the show local-host command:
show local-host 10.1.1.15
local host: <10.1.1.15>, conn(s)/limit = 2/0, embryonic(s)/limit = 0/0
Xlate(s):
PAT Global 172.16.3.200(1024) Local 10.1.1.15(55812)
PAT Global 172.16.3.200(1025) Local 10.1.1.15(56836)
PAT Global 172.16.3.200(1026) Local 10.1.1.15(57092)
PAT Global 172.16.3.200(1027) Local 10.1.1.15(56324)
PAT Global 172.16.3.200(1028) Local 10.1.1.15(7104)
Conn(s):
TCP out 192.150.49.10:23 in 10.1.1.15:1246 idle 0:00:20 Bytes 449
flags UIO
TCP out 192.150.49.10:21 in 10.1.1.15:1247 idle 0:00:10 Bytes 359
flags UIO
The xlate describes the translation slot information and the Conn is the
connection state information.
Regards,
Brian
At 12:10 AM 5/30/2001 +0000, Stacy Williams wrote:
>Date: Tue, 29 May 2001 14:57:33 -0700
>From: Stacy Williams <[EMAIL PROTECTED]>
>Subject: Preventing TCP Flood Attacks on PIX (Configuring Embryotic Connec
>tion Limits)
>
>We presently have a PIX Firewall version 5.2(3)configured with unlimited
>embryotic
>connections (currently set to a value of 0), and unlimited max count
>connections
>(currently set to a value of 0), all set by a previous firewall Admin.
>According to the
>PIX manual, configuring the firewall without either value set leaves us
>susceptible to
>certain TCP SYN ttacks. I'm trying to guage where other PIX users currently
>have their
>values set as to not interfere with ongoing internal processes (i.e., mail,
>etc.).
>
>Any suggestions?
>
>Thanks,
>
>Stacy M. Williams
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
