Hi all,
I am looking for recommendation on how to prevent a repeat of a recent episode on one of the networks I support.
Pix 515E running 6.3(3) unrestricted. 3 inside networks. DMZ1, DMZ2, and Inside. All inside networks use a 172.16.x.x ip address space. The physical medium for all inside networks is switched 100 Mbps ethernet. Outside connects to a dual bonded T1 via a cisco 2600.
Inside has the highest security level. Then DMZ1 and DMZ2.
An old linux web server on DMZ2 not under our direct control (and probably never will be because of political reasons) gets compromised thru a php hack and causes a syn flood. That results in the Pix with
98% CPU util and it stops responding to requests from other inside networks resulting in a DoS to the other inside networks. Packets were being dumped at the DMZ2 interface at 70~80 Mbps.The embryonic connection limit feature doesn't help here because it cannot be applied for outside NAT. And even if it did work it wouldn't help in this case because the embryonic connection limit does nothing to protect the Pix against high CPU util.
What are my options if all I have is this one Pix to work with. Force the DMZ2 interface to 10baseT. That may help with the CPU utilization but what about my 3 Mbps WAN pipe? Any other way to do rate limiting? Is PIX os 7 the answer?
Thanks,
Shahid