AIP-SSM 40 and TCP Syn/Ack Attack

Unanswered Question
Aug 28th, 2009


Some of our sites are under constant attack with TCP Syn/Ack i.e Syn followed by an Ack and no Get HTTP. Would want the Firewall to hold the traffic until there is a geniune payload. Plz Help.

Here is the sequence

Attacker sends SYN

Server sends SYN/ACK

Attacker sends ACK

Server waits for the Get

We see 1000s of connections created in a sec.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
subra4u Fri, 08/28/2009 - 13:40


PLease find the config in the attachment

Can someone tell me why the CPU goes 100% when the attack is not even 100 mbps of traffic. Is the throughput or performance of the ASA is the same when it is under attack too.

Thx in advance

subra4u Mon, 09/21/2009 - 09:11


I am looking for a good Packet Generator tool to simulate a TCP Syn attack or DDOS attack. Could some one give me some inputs on this plz.

Is BackTrack a good tool or there any other good tools available.

Thx in advance.

rhermes Mon, 09/21/2009 - 15:04

You want to configure "TCP Intercept" on your firewall. One reason that a small (100 Mb/s) amount of traffic can saturate your sensor is that these attacks only require very small packets.

Once you start loading down the sensor with hundreds or thousands of attacks per second, the sensor gets pretty busy taking care of all the related functions (writing events to the event store, reporting to a manager, etc)

Sensor bandwidth sizing is not based on a huge number of attacks per second.

subra4u Mon, 09/21/2009 - 22:41


We have a 1 Gig Pipe and we found a 30 Mbps unwanted traffic with a session rate of 150+ Kpps. Do you think AIP-SSM-40 on a ASA 5540 can stand this kind of attack. Want to know how others mitigate this size of attack. Please share your experience. In the trace we saw a lot of TCP SYN followed by a ACK whether you send SYN/ACK or dont send it.




This Discussion