Cisco ASA 5506-X Configuration Manual page 260

Configure Connection Settings
•
•
•
•
•
•
•
•
Protect Servers from a SYN Flood DoS Attack (TCP Intercept)
A SYN-flooding denial of service (DoS) attack occurs when an attacker sends a series of SYN packets
to a host. These packets usually originate from spoofed IP addresses. The constant flood of SYN packets
keeps the server SYN queue full, which prevents it from servicing connection requests from legitimate
users.
You can limit the number of embryonic connections to help prevent SYN flooding attacks. An embryonic
connection is a connection request that has not finished the necessary handshake between source and
destination.
When the embryonic connection threshold of a connection is crossed, the ASA acts as a proxy for the
server and generates a SYN-ACK response to the client SYN request using the SYN cookie method (see
Wikipedia for details on SYN cookies). When the ASA receives an ACK back from the client, it can then
authenticate that the client is real and allow the connection to the server. The component that performs
the proxy is called TCP Intercept.
Cisco ASA Series Firewall CLI Configuration Guide
11-4
timeout sip-provisional-media hh:mm:ss—The timeout value for SIP provisional media
connections, between 0:1:0 and 1193:0:0. The default is 2 minutes.
timeout sip-invite hh:mm:ss—The idle time after which pinholes for PROVISIONAL responses and
media xlates will be closed, between 0:1:0 and 00:30:0. The default is 3 minutes (0:3:0).
timeout sip-disconnect hh:mm:ss—The idle time after which a SIP session is deleted if the 200 OK
is not received for a CANCEL or a BYE message, between 0:0:1 and 00:10:0. The default is 2
minutes (0:2:0).
timeout uauth hh:mm:ss {absolute | inactivity}—The duration before the authentication and
authorization cache times out and the user has to reauthenticate the next connection, between 0:0:0
and 1193:0:0. The default is 5 minutes (0:5:0). The default timer is absolute; you can set the timeout
to occur after a period of inactivity by entering the inactivity keyword. The uauth duration must be
shorter than the xlate duration. Set to 0 to disable caching. Do not use 0 if passive FTP is used for
the connection or if the virtual http command is used for web authentication.
timeout xlate hh:mm:ss—The idle time until a translation slot is freed. This duration must be at least
1 minute. The default is 3 hours.
timeout tcp-proxy-reassembly hh:mm:ss—The idle timeout after which buffered packets waiting
for reassembly are dropped, between 0:0:10 and 1193:0:0. The default is 1 minute (0:1:0).
timeout floating-conn hh:mm:ss—When multiple static routes exist to a network with different
metrics, the ASA uses the one with the best metric at the time of connection creation. If a better
route becomes available, then this timeout lets connections be closed so a connection can be
reestablished to use the better route. The default is 0 (the connection never times out). To take
advantage of this feature, change the timeout to a new value between 0:1:0 and 1193:0:0.
timeout pat-xlate hh:mm:ss—The idle time until a PAT translation slot is freed, between 0:0:30 and
0:5:0. The default is 30 seconds. You may want to increase the timeout if upstream routers reject
new connections using a freed PAT port because the previous connection might still be open on the
upstream device.
Chapter 11 Connection Settings