Monitoring Syn Attacks In Contexts - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Managing Security Contexts
Xlates
Hosts
Conns [rate]
Inspects [rate]
S = System: Combined context limits exceed the system limit; the system limit is shown.
The following is sample output from the show resource usage summary command, which shows the
limits for 25 contexts. Because the context limit for Telnet and SSH connections is 5 per context, then
the combined limit is 125. The system limit is only 100, so the system limit is shown.
hostname# show resource usage summary
Resource
Telnet
SSH
Conns
Hosts
S = System: Combined context limits exceed the system limit; the system limit is shown.
The following is sample output from the show resource usage system command, which shows the
resource usage for all contexts, but it shows the system limit instead of the combined context limits. The
counter all 0 option is used to show resources that are not currently in use. The Denied statistics indicate
how many times the resource was denied due to the system limit, if available.
hostname# show resource usage system counter all 0
Resource
Telnet
SSH
ASDM
Syslogs [rate]
Conns
Xlates
Hosts
Conns [rate]
Inspects [rate]
Monitoring SYN Attacks in Contexts
The security appliance prevents SYN attacks using TCP Intercept. TCP Intercept uses the SYN cookies
algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN
packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the
server SYN queue full, which prevents it from servicing connection requests. When the embryonic
connection threshold of a connection is crossed, the security appliance acts as a proxy for the server and
generates a SYN-ACK response to the client SYN request. When the security appliance receives an ACK
back from the client, it can then authenticate the client and allow the connection to the server.
You can monitor the rate of attacks for individual contexts using the show perfmon command; you can
monitor the amount of resources being used by TCP intercept for individual contexts using the show
resource usage detail command; you can monitor the resources being used by TCP intercept for the
entire system using the show resource usage summary detail command.
The following is sample output from the show perfmon command that shows the rate of TCP intercepts
for a context called admin.
hostname/admin# show perfmon
Context:admin
PERFMON STATS:
Xlates
Cisco Security Appliance Command Line Configuration Guide
6-20
8526
8966
254
254
270
535
270
535
Current
Peak
1
2
56
89
102
Current
Peak
0
0
0
1
0
0
0
1
0
Current
Average
0/s
0/s
Chapter 6
Adding and Managing Security Contexts
N/A
N/A
N/A
1704 Summary
N/A
Limit
Denied
1
100[S]
0
2
100[S]
0
90
N/A
0
N/A
0
Limit
Denied
0
100
0
100
0
32
18
N/A
1
280000
0
N/A
2
N/A
1
N/A
0
N/A
0 Summary
0 Summary
0 Summary
Context
Summary
Summary
Summary
Summary
Context
0
System
0
System
0
System
0
System
0
System
0
System
0
System
0
System
0
System
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
