Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4568
Views
1
Helpful
2
Replies

Recommended values for synflood and rate limiting

Go to solution
JP_Berlin
Cisco Employee
Cisco Employee

‎06-18-2018 06:46 AM

Hi community,

I have two questions regarding the ISE CLI commands synflood-limit and rate-limit:

  1. I do understand the use case for synflood-limit since a high number of TCP-SYN is a clear indication for a malicious attack. But what about the use case for rate-limit? ISE inter-node communication? Communication with integrated 3rd party devices (for example through pxgrid)? Or even access to the ISE portals (Guest, Sponsor...)? I would appreciate if someone shed some light on this.
  2. And finally I am looking for recommended values for the synflood-limit and rate-limit commands (in terms of packets per second). In other words: are there any guidelines on how to avoid an impact on ISE operations.

Cheers!

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-18-2018 09:33 PM

Such settings could impact authentication TPS; especially EAP-TLS. Please use them with cautions.

The command synflood-limit takes only a numeric value as the argument so it applies to all TCP attempts. A similar command "conn-limit" takes ip and port arguments so give us more choices if we are to implement sync flood protection on TCP connections. The other command "rate-limit" also take ip and port arguments but it applies to all TCP/UDP/ICMP.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-18-2018 09:33 PM

Such settings could impact authentication TPS; especially EAP-TLS. Please use them with cautions.

The command synflood-limit takes only a numeric value as the argument so it applies to all TCP attempts. A similar command "conn-limit" takes ip and port arguments so give us more choices if we are to implement sync flood protection on TCP connections. The other command "rate-limit" also take ip and port arguments but it applies to all TCP/UDP/ICMP.

0 Helpful

Go to solution
drivera_
Level 1
Level 1
In response to hslai

‎10-24-2019 10:04 AM

Hello, hslai

 

I would like to know if maybe you know what is it the recommended rate for configuring with the command "rate-limit" for TCP/UDP/ICMP.  Right now I'm hardening an ISE deployment, and I've been following this guide https://community.cisco.com/t5/security-documents/ise-security-best-practices-hardening/ta-p/3640651 but I don't know what value the rate limit has to take. 

 

Thank you so much in advance.

0 Helpful
Customers Also Viewed These Support Documents