Monitoring syn attacks in contexts – Cisco ASA 5505 User Manual

5-33

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 5 Configuring Multiple Context Mode

Monitoring Security Contexts

The following is sample output from the show resource usage summary command, which shows the
resource usage for all contexts and all resources. This sample shows the limits for 6 contexts.

hostname# show resource usage summary

Resource Current Peak Limit Denied Context

Syslogs [rate] 1743 2132 N/A

0 Summary

Conns 584 763 280000(S)

0 Summary

Xlates 8526 8966 N/A

0 Summary

Hosts 254 254 N/A

0 Summary

Conns [rate] 270 535 N/A

1704 Summary

Inspects [rate]

270 535 N/A

0 Summary

S = System: Combined context limits exceed the system limit; the system limit is shown.

The following is sample output from the show resource usage summary command, which shows the
limits for 25 contexts. Because the context limit for Telnet and SSH connections is 5 per context, then
the combined limit is 125. The system limit is only 100, so the system limit is shown.

hostname# show resource usage summary

Resource Current Peak Limit

Denied

Context

Telnet 1 1

100[S]

0

Summary

SSH

2

2

100[S]

0

Summary

Conns 56

90

N/A

0

Summary

Hosts 89

102

N/A

0

Summary

S = System: Combined context limits exceed the system limit; the system limit is shown.

The following is sample output from the show resource usage system command, which shows the
resource usage for all contexts, but it shows the system limit instead of the combined context limits. The
counter all 0 option is used to show resources that are not currently in use. The Denied statistics indicate
how many times the resource was denied due to the system limit, if available.

hostname# show resource usage system counter all 0

Resource Current Peak Limit Denied

Context

Telnet 0 0 100 0

System

SSH 0 0 100 0

System

ASDM 0 0 32 0

System

Syslogs [rate] 1 18 N/A 0

System

Conns 0 1 280000 0

System

Xlates 0 0 N/A 0

System

Hosts 0 2 N/A 0

System

Conns [rate] 1 1 N/A 0

System

Inspects [rate]

0 0 N/A 0

System

Monitoring SYN Attacks in Contexts

The ASA prevents SYN attacks using TCP Intercept. TCP Intercept uses the SYN cookies algorithm to
prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually
originating from spoofed IP addresses. The constant flood of SYN packets keeps the server SYN queue
full, which prevents it from servicing connection requests. When the embryonic connection threshold of
a connection is crossed, the ASA acts as a proxy for the server and generates a SYN-ACK response to
the client SYN request. When the ASA receives an ACK back from the client, it can then authenticate
the client and allow the connection to the server.

Monitor SYN attacks using the following commands: