Question regarding a DDOS attack

Unanswered Question
Sep 22nd, 2009


I am having a very ugly problem :-(

I have a 10MB Internet connection going through a 7206, then two ASAs in failover and then a Cisco CSS with a cluster of 3 web servers that receive constant HTTP transactions. The web servers hold a single web page with a single public IP address that is under attack.

I have a Netflow Analizer showing thousands of HTTP connections (valid HTTP connections, getting a 200 ok response from the web server)... but trying to reach an unexistent directory.

Thousands and thousands of these connections from thousands of different IP addresses. (Besides all the valid HTTP transactions)

My ISP is telling me that since all the HTTP requests are valid, there's no way for them to ''block'' this attack.

I am thinking about an IPS Sensor, creating a signature that blocks that traffic specifically, but if the directory or the attack changes, we need to constantly modify the signatures...

We've tried the Cisco Traffic Anomaly Detector and Guard and it did not detect the traffic as an attack!

Can somebody point me out in the right direction for an approach to this situation?

Best Regards,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Mon, 09/28/2009 - 02:14

First you need to analyze those source IPs (use Whois), sometimes one changes the structure of their website and the search engine bots (e.g. google) keep referencing the old pages. What I mean to say is that, its not always an 'attack'. Check the source IPs of the HTTP requests!

Your web-server should return the correct HTTP response code (404) for the search engines to remove your pages from their index (This is true even in normal circumstances).

If its a legitimate attack, you can block it both at the ASA or at the IPS Level. However this sort of functionality is better achieved through Application Firewalls (WAF).

Have a look at:

Please rate if helpful.



vasile.borcan Sat, 05/15/2010 - 17:22


You should find Andrisoft's new product called WANGuard extremly useful just for that. We use it to detect DDoS attacks using NetFlow and mitigate them.


Vasile Borcan


This Discussion