Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1563
Views
0
Helpful
4
Replies

DDOS/DOS/SYN Attack Mitigation

manuadoor
Level 1
Level 1

‎07-22-2010 03:12 AM - edited ‎03-11-2019 11:14 AM

Dear Team,

Can I know the varios methods/conf to mitigate DOS/DDOS/SYN Attacks thru ASA?

How we will detect that we are under attack. What are the tips and Tricks??

Regards,

Manu B.

Labels:
0 Helpful
4 Replies 4

Kevin Redmon
Cisco Employee
Cisco Employee

‎07-22-2010 01:51 PM

Manu,

As far as DDOS/DOS/SYN attack mitigation goes, there are a few things that the ASA can do to minimize these effects. Leveraging Modular Policy Framework (MPF) and Static NAT configuration, you can limit the amount of TCP connections and embryonic connections on the ASA on a per-host or per-traffic type basis. Also, by using MPF, you can also limit an inside host also DoSing your network.  If you are using an ASA, there is also the BotNet feature that will dynamically detect and react to the traffic, blocking the traffic to the malicious hosts.

To detect a guilty host, one command that I like to use is 'show local | inc host|count/limit'.  Guilty hosts on the inside, that may have become infected with a Virus or Malware can also be detected leveraging the BotNet Feature.

These tools will assist you in isolating what host is indeed DoSing your network but this still requires your ASA to process the packet - taking away valuable bandwidth (traffic and CPU-wise) away from legitimate traffic.  Once you identify the guilty host, you can then call your ISP or upstream router manager and have them "blackhole" the guilty host.  Here are a few useful links in ASA 8.2:

Modular Policy Framework:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html

BotNet:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_botnet.html

If this helps, please be sure to mark this question as answered for others' benefits as well.

Best Regards,

Kevin

0 Helpful

manuadoor
Level 1
Level 1
In response to Kevin Redmon

‎07-22-2010 02:59 PM

After Reading MPF, I feel that its same as the max conn (tcp and udp) and embryonic limit with static nat conf, is there any advantage in having with Policy map ?

Apart from this, can I know the explanation of flags which we get at the end of the " sh conn" command. For example,

TCP outside 130.76.32.144:51430 inside 10.0.0.2:80, idle 0:00:02, bytes 59750, flags UfFrIOB

in this what does means "UfFrIOB"; Can I have a doc on this?

After all, how we will decide the type of attack, if it is an attack!!

0 Helpful

August Ritchie
Level 1
Level 1
In response to manuadoor

‎07-22-2010 03:37 PM

I believe the policy-map configuration adds more control over the connection limit, (I.E. limiting with access-lists)

As for the flags, this should help you out

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s2.html#wp1396672

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to manuadoor

‎07-22-2010 03:45 PM

Threat detection also a feature that collect statistics about attacks that might help.

I hope it helps.

PK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card