DDOS attack

melwin.uk · ‎04-27-2010

Hi

what steps are needed to protect Internet Routers from DDOS attack,

ip address is changing everytime, so ACL is not helpful.

Setup

Internet_rtr----------------LoadBalancer-------------------Firewall----------LAN------Server

### On ASA Error ###

##################

%ASA-4-419002: Duplicate TCP SYN from outside:10.10.10.3/8681 to inside:10.10.10.16/80 with different initial sequence number
%ASA-4-419002: Duplicate TCP SYN from outside:10.10.10.3/35341 to inside:10.10.10.16/80 with different initial sequence number
%ASA-4-419002: Duplicate TCP SYN from outside:10.10.10.3/59579 to inside:10.10.10.16/80 with different initial sequence number
%ASA-4-419002: Duplicate TCP SYN from outside:10.10.10.3/18660 to inside:10.10.10.16/80 with different initial sequence number
%ASA-4-419002: Duplicate TCP SYN from outside:10.10.10.3/44346 to inside:10.10.10.16/80 with different initial sequence number

Giuseppe Larosa · ‎04-27-2010

Hello Melwin,

TCP intercept feature can be of help in this case:

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_tcp_intercpt_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Hope to help

Giuseppe

melwin.uk · ‎04-27-2010

thank you for replying Mr. Giuseppe

Can you input with best practise for (#) in the folllowing lines, I dont have any experience to put numbers.

If you got any recommendtion do input

access-list 101 permit tcy any 10.10.10.16 0.0.0.255
ip tcp intercept list 101

ip tcp intercept mode intercept

ip tcp intercept drop-mode random

ip tcp intercept watch-timeout (#) ( What are best practise figure for watch-timeout & the follows )
ip tcp intercept finrst-timeout seconds (#)
ip tcp intercept connection-timeout seconds (#)
ip tcp intercept max-incomplete low number (#)
ip tcp intercept max-incomplete high number (#)