DDOS/DOS/SYN Attack Mitigation

Unanswered Question
Jul 22nd, 2010

Dear Team,

Can I know the varios methods/conf to mitigate DOS/DDOS/SYN Attacks thru ASA?

How we will detect that we are under attack. What are the tips and Tricks??

Regards,

Manu B.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kevin Redmon Thu, 07/22/2010 - 13:51

Manu,

As far as DDOS/DOS/SYN attack mitigation goes, there are a few things that the ASA can do to minimize these effects. Leveraging Modular Policy Framework (MPF) and Static NAT configuration, you can limit the amount of TCP connections and embryonic connections on the ASA on a per-host or per-traffic type basis. Also, by using MPF, you can also limit an inside host also DoSing your network.  If you are using an ASA, there is also the BotNet feature that will dynamically detect and react to the traffic, blocking the traffic to the malicious hosts.

To detect a guilty host, one command that I like to use is 'show local | inc host|count/limit'.  Guilty hosts on the inside, that may have become infected with a Virus or Malware can also be detected leveraging the BotNet Feature.

These tools will assist you in isolating what host is indeed DoSing your network but this still requires your ASA to process the packet - taking away valuable bandwidth (traffic and CPU-wise) away from legitimate traffic.  Once you identify the guilty host, you can then call your ISP or upstream router manager and have them "blackhole" the guilty host.  Here are a few useful links in ASA 8.2:

Modular Policy Framework:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html

BotNet:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_botnet.html

If this helps, please be sure to mark this question as answered for others' benefits as well.

Best Regards,

Kevin

manuadoor Thu, 07/22/2010 - 14:59

After Reading MPF, I feel that its same as the max conn (tcp and udp) and embryonic limit with static nat conf, is there any advantage in having with Policy map ?

Apart from this, can I know the explanation of flags which we get at the end of the " sh conn" command. For example,

TCP outside 130.76.32.144:51430 inside 10.0.0.2:80, idle 0:00:02, bytes 59750, flags UfFrIOB

in this what does means "UfFrIOB"; Can I have a doc on this?

After all, how we will decide the type of attack, if it is an attack!!

Panos Kampanakis Thu, 07/22/2010 - 15:45

Threat detection also a feature that collect statistics about attacks that might help.

I hope it helps.

PK

Actions

This Discussion