How to stop DDOS attack on Web Server

Unanswered Question
Jun 1st, 2010


One of our customers webserver is hosted with us and its behind the ASA & IPS with standard IPS configuration. I have also enabled some signatures related to IIS n DDOS. The website is constantly under DDOS attack from various IP addresses, each single IP address with different source ports is opening more than 20 session at a time to the web server n consuming the server resources and bandwidth, the IPS is not able to detect this. I have also enabled netflow on ASA for this server and the netflow report showing normal with different source IP addresses and ports. The webserver is constantly under attack even when it is present with other DSP/ISP.

Is there option I need to configure in IPS or ASA to stop this. The IPS signature is latest updated.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Wed, 06/02/2010 - 17:24

There are DDos signatures in the IPS. You might need to tune them depending on the attack.

Also you can set embryonic connection limits on the ASA if the connections the attackers open ar half-open.

I hope it helps a little.


aijaz802 Sat, 06/05/2010 - 00:31


Thanks for the info, I have set the per-client-embryonic-max  n per-client-max to 5 with proper policy-map n class-map, but I dont know whether its in effect or not. Is there any way to see the hits for this?

I have enabled all the default DDOS n webserver related high risk signatures but none of them seems to hit. I created a new Service HTTP signature with Max Header Filed Length to 20 and Maximum Request Field Length to 20, it has stopped 50% hits for this server, but it also stopping access to some other web servers. Is there any way I can enable this signature only for a particular webserver instead of whole traffic going thru the IPS.



Panos Kampanakis Sat, 06/05/2010 - 05:45

For the fist question you can do "sh service-policy" to see the statistics.

you can enable a signature for certain hosts using a filter.

I hope it helps.


aijaz802 Sat, 06/05/2010 - 06:24

Would you please elaborate on filter, I couldn't find any option in the signature to do filtering...except rules0/eventactionfilters which is not related here..

Scott Fringer Sat, 06/05/2010 - 12:11

You can make use of an event action filter (EAF) to remove the desired actions for the signature in question.  You can find out more about event action rules, including event action filters, here:

You could also configure your signature to only fire when a specific IP address (or collection of IP addresses) is the victim.



This Discussion