One of our long standing server hosting customers was having an issue with his server whereby his server was being locked up by the Apache process being overloaded. The attacker was simply connecting to the server and then not issuing any http commands, so whilst the apache children were all ‘taken’ nothing was showing in the logs. The load average was rolling up to the high 50’s and then, when we eventually managed to login, a restart of Apache sorted it out – until the next time. Nearly all of our hosted servers sit behind Cisco ASA devices so the solution was obviously to leverage the power of the ASA. We decided that the best option was to limit the number of tcp connections any single ip address could make. For good measure we also limited the number of embryonic TCP connections too. Here’s how to do it:
1. Classify the traffic with a class map and access list.
access-list CUSTOMERA-TRAFFIC extended permit ip any host CustomerA-IP class-map CONNECTIONS match access-list CUSTOMERA-TRAFFIC
2. Create a policy map to define what you want.
policy-map CONNECTION-POLICY class CONNECTIONS set connection per-client-max 20 per-client-embryonic-max 10
3. Attach the policy map to a suitable interface
service-policy CONNECTION-POLICY interface OUTSIDE
Service policies can be added to any interface, but there can be only one on any interface. There is also a global service policy which is enabled by default. We chose to attach our policy to the outside interface. So how do you know if its working?
ASA# show service-policy interface OUTSIDE Interface OUTSIDE: Service-policy: CONNECTION-POLICY Class-map: CONNECTIONS Set connection policy: per-client-max 20 per-client-embryonic-max 10 current conns 2, drop 96
Could this be improved? Probably! We could probably be more selective with the traffic types, perhaps just look at www traffic rather than all traffic. Also there are other connection limitations that can be used such as the total number of connections/embryonic connections. This method is also great for limiting bandwidth usage with QOS features.