Does Cisco ASA 5500 can protect DDos Attack - Sync Flood?

Unanswered Question
Sep 2nd, 2010
User Badges:

Dear All,


Anyone do you know Cisco ASA 5510 or 5520 can protect DDos attack ans sync flood ?

I have problem on this, so how can i protect on this, some time i saw on my log like this

"sync flood " or "ddos to xxx.xxx.xxx.xxx" the ip address random .


Please help me to solve this issue?


Best Regards,

Rechard

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abinjola Fri, 09/03/2010 - 00:51
User Badges:
  • Cisco Employee,

Hi , You can do couple things like:

a)Use ebryonic limit and tcp conn limit in static Xlate

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075

b)Use set connection max or set connection per-client-max option

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395814


Or if you have SSM then you have enable SYN DOS flood signature which will take care of this


hth

--regards

rechard_hk Fri, 09/03/2010 - 01:42
User Badges:

Dear abinjola,


Thanks you for you help!!!


i'm not clear about your link that you send to me!!!

could you let me know more than this?

any way could i ask you about Cisco router can block DDos Attack - sync flood or not?

i have cisco router 3845, if can please let me know command How to block it?


Thanks your gain!!!


Best Regads,

Rechard

abinjola Fri, 09/03/2010 - 02:36
User Badges:
  • Cisco Employee,

Hi Rechard,


Those ASA links basically describes mitigation techniques on ASA, for example if you are using static then you may limit no. of total connections/embryonic connections

static (intf1,intf2) x.x.x.x.x tcp < conn count>


Also using MPF(as described in other link) you may configure per-client-max or conn-max or conn-embryonic options etc which means how many connections from one specific client or how many total no. of connections on a specific web-server would ASA allow.example

hostname(config-pmap-c)# set connection conn-max 600
hostname(config-pmap-c)# set connection embryonic-conn-max 50


On ASA if you have SSM module then you may enable signatures as well to mitigate DOS/DDOS/SYN-FLOOD, alternatively on router you may configure IOSFW and set the following options

ip inspect max-incomplete high 20000000

ip inspect one-minute high 100000000

ip inspect tcp max-incomplete host 100000 block-time 0


let me know in case you need some more details

rechard_hk Mon, 09/06/2010 - 03:06
User Badges:

Dear abinjola


I would like to confirm from you that when i put command as below on my Cisco Router you mean that i can block DDos Attack -Sync Flood right?

but i'm not clear about command that you show me.

what does it mean max-incomplete high 20000000, one-minute high 100000000 and tcp max-incomplete host 100000 block-time 0?


ip inspect max-incomplete high 20000000

#

ip inspect one-minute high 100000000

#

ip inspect tcp max-incomplete host 100000 block-time 0

have any problem when i put this command because i worry when i put this command i connection down?

Thanks you for your issue!!!


Best Regards,
Rechard
abinjola Mon, 09/06/2010 - 04:28
User Badges:
  • Cisco Employee,

Hi Rechard..Those are tcp connection values

ip inspect max-incomplete high value (default 500)---------------->embryonic connection upper threshold value
ip inspect max-incomplete low value (default 400)-------------------->embryonic connection lower threshold value
ip inspect one-minute high value (default 500)------------------------>total connection  in 1 minute, upper threshold
ip inspect one-minute low value (default 400)--------------------------->total connection in 1 min, lower threshold
ip inspect tcp max-incomplete host value (default 50) [block-time minutes (default 0)]

Therefore by implementing IOSFW in your router and tweaking these values you may protect your internal servers from being bombwarded by SYM flood or any DOS flood, keeping in mind if there is a trrue attack then your router will proctect your internal servers however router itself will take a toll on itself, ideally to mitigate an attack the thumb rule is to mitigate by going as close to the source of the attack as possible

you may also want to read:

power.srvi Mon, 04/16/2012 - 06:57
User Badges:

hello,


it doesn't work with cisco 8.4.1

i tryed many configuration and when i test my asa 5520 with a sysn attack it seems so weak it overload !!!

so strange i thinked that the 5520 asa was more strong  thant this .

Actions

This Discussion