09-02-2010 11:52 PM - edited 03-11-2019 11:34 AM
Dear All,
Anyone do you know Cisco ASA 5510 or 5520 can protect DDos attack ans sync flood ?
I have problem on this, so how can i protect on this, some time i saw on my log like this
"sync flood " or "ddos to xxx.xxx.xxx.xxx" the ip address random .
Please help me to solve this issue?
Best Regards,
Rechard
09-03-2010 12:51 AM
Hi , You can do couple things like:
a)Use ebryonic limit and tcp conn limit in static Xlate
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075
b)Use set connection max or set connection per-client-max option
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395814
Or if you have SSM then you have enable SYN DOS flood signature which will take care of this
hth
--regards
09-03-2010 01:42 AM
Dear abinjola,
Thanks you for you help!!!
i'm not clear about your link that you send to me!!!
could you let me know more than this?
any way could i ask you about Cisco router can block DDos Attack - sync flood or not?
i have cisco router 3845, if can please let me know command How to block it?
Thanks your gain!!!
Best Regads,
Rechard
09-03-2010 02:36 AM
Hi Rechard,
Those ASA links basically describes mitigation techniques on ASA, for example if you are using static then you may limit no. of total connections/embryonic connections
static (intf1,intf2) x.x.x.x.x
Also using MPF(as described in other link) you may configure per-client-max or conn-max or conn-embryonic options etc which means how many connections from one specific client or how many total no. of connections on a specific web-server would ASA allow.example
hostname(config-pmap-c)# set connection conn-max 600
hostname(config-pmap-c)# set connection embryonic-conn-max 50
On ASA if you have SSM module then you may enable signatures as well to mitigate DOS/DDOS/SYN-FLOOD, alternatively on router you may configure IOSFW and set the following options
ip inspect max-incomplete high 20000000
let me know in case you need some more details
09-03-2010 05:42 AM
If this is a router then the method is to enable TCP intercept.
http://ciscosystems.com/en/US/docs/ios/12_2/security/command/reference/srfenl.html
Best thing to do is to call your ISP and report it to them and have them stop this syn flood at their end before it gets to the outside interface of your router.
-KS
09-06-2010 03:06 AM
Dear abinjola
I would like to confirm from you that when i put command as below on my Cisco Router you mean that i can block DDos Attack -Sync Flood right?
but i'm not clear about command that you show me.
what does it mean max-incomplete high 20000000, one-minute high 100000000 and tcp max-incomplete host 100000 block-time 0?
ip inspect max-incomplete high 20000000
09-06-2010 04:28 AM
Hi Rechard..Those are tcp connection values
04-16-2012 06:57 AM
hello,
it doesn't work with cisco 8.4.1
i tryed many configuration and when i test my asa 5520 with a sysn attack it seems so weak it overload !!!
so strange i thinked that the 5520 asa was more strong thant this .
11-08-2017 09:28 PM - edited 03-04-2020 08:16 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide