I have a Cisco ASA 5510 (ASA Version 8.3(2)) that has been getting a syn flood attack on it (or more accurately through it - targeting a host behind it) a couple of times a day for the past few days. The Internet connection itself is decent and it does not appear to fully saturate the line, but instead what seems to be happening is the CPU goes to 100% and nearly all valid traffic gets dropped.
The attacks appear to be using randomized spoofed IPs - source addresses do not repeat at all.
I've followed the instructions here to get enable a connection max and a max for embryonic connections. Exact commands used were:
fw1(config)# class CONNS
fw1(config-cmap)# match any
fw1(config)# policy-map CONNS
fw1(config-pmap)# class CONNS
fw1(config-pmap-c)# set connection timeout embryonic 0:0:5
fw1(config)#service-policy CONNS global
(The theory being that the max connections would trigger whatever threat response the ASA has - or at least prevent the CPU from spinning out and locking the device up. And the lower connection timeout should of course make it stop keeping track of bogus tcp connections earlier and hopefully lower the count of what it needs to keep track of.)
However, this seemed to make no difference when the next attack came. Connections still max out overall (and CPU still 100% too):
fw1# show conn count
130000 in use, 130001 most used
So I set up a test with a server I have and was able to get this test scenario:
Linux test attacker:
(iptables configured to drop anything back from ASA)
# sudo hping2 -i u2000 -S -p 80 RE.DA.CT.ED
ASA:
fw1# show threat-detection statistics host RE.DA.CT.ED
Current monitored hosts:11991 Total not monitored hosts:28657651
Average(eps) Current(eps) Trigger Total events
Host:RE.DA.CT.ED: tot-ses:2993977 act-ses:6493 fw-drop:0 insp-drop:0 null-ses:2979635 bad-acc:0
20-min Recv attack: 1227 492 43 1473050
1-hour Sent byte: 6281 260 0 22611776
1-hour Sent pkts: 142 5 0 513064
1-hour Recv byte: 33377 11439 0 120159833
1-hour Recv pkts: 834 285 0 3002986
When I run the hping2 command, it increments the act-ses:6493 part. show conn count also shows the overall connection count increasing.
After a bit in the ASA log I do get messages like this:
[ RE.DA.CT.ED] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 84 per second, max configured rate is 5; Cumulative total count is 101750
TCP Intercept SYN flood attack detected to RE.DA.CT.ED/80 (RE.DA.CT.ED/80). Burst rate of 820 SYNs/sec exceeded the threshold of 400.
However from what I can tell the total connection count keeps increasing - even after it detects the syn flood. Also I notice that the fw-drop count on the threat-detection statistics is always zero.
With all that, my specific questions are:
1) Is there a way to know for sure that whatever "syn cookie" support the ASA has is enabled (for a specific target IP or globally or any context that would be useful)?
2) If syn cookies are activated - it should no longer count these syn packets against the act-ses count for that IP or against the overall connection count, correct?
3) Is there any obvious error in my configuration above or key thing I seem to be missing?
EDIT: 3 days later, still no idea. Any input appreciated.
