Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
35503
Views
5
Helpful
8
Replies

Does Cisco ASA 5500 can protect DDos Attack - Sync Flood?

rechard_hk
Level 1
Level 1

‎09-02-2010 11:52 PM - edited ‎03-11-2019 11:34 AM

Dear All,

Anyone do you know Cisco ASA 5510 or 5520 can protect DDos attack ans sync flood ?

I have problem on this, so how can i protect on this, some time i saw on my log like this

"sync flood " or "ddos to xxx.xxx.xxx.xxx" the ip address random .


Please help me to solve this issue?

Best Regards,

Rechard

Labels:
8 Replies 8

abinjola
Cisco Employee
Cisco Employee

‎09-03-2010 12:51 AM

Hi , You can do couple things like:

a)Use ebryonic limit and tcp conn limit in static Xlate

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075

b)Use set connection max or set connection per-client-max option

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395814

Or if you have SSM then you have enable SYN DOS flood signature which will take care of this

hth

--regards

0 Helpful

rechard_hk
Level 1
Level 1
In response to abinjola

‎09-03-2010 01:42 AM

Dear abinjola,

Thanks you for you help!!!

i'm not clear about your link that you send to me!!!

could you let me know more than this?

any way could i ask you about Cisco router can block DDos Attack - sync flood or not?

i have cisco router 3845, if can please let me know command How to block it?

Thanks your gain!!!

Best Regads,

Rechard

0 Helpful

abinjola
Cisco Employee
Cisco Employee
In response to rechard_hk

‎09-03-2010 02:36 AM

Hi Rechard,

Those ASA links basically describes mitigation techniques on ASA, for example if you are using static then you may limit no. of total connections/embryonic connections

static (intf1,intf2) x.x.x.x.x tcp < conn count>

Also using MPF(as described in other link) you may configure per-client-max or conn-max or conn-embryonic options etc which means how many connections from one specific client or how many total no. of connections on a specific web-server would ASA allow.example

hostname(config-pmap-c)# set connection conn-max 600
hostname(config-pmap-c)# set connection embryonic-conn-max 50

On ASA if you have SSM module then you may enable signatures as well to mitigate DOS/DDOS/SYN-FLOOD, alternatively on router you may configure IOSFW and set the following options

ip inspect max-incomplete high 20000000

ip inspect one-minute high 100000000

ip inspect tcp max-incomplete host 100000 block-time 0

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_implementation_design_guide09186a00800fd670.html

let me know in case you need some more details

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to abinjola

‎09-03-2010 05:42 AM

If this is a router then the method is to enable TCP intercept.

http://ciscosystems.com/en/US/docs/ios/12_2/security/command/reference/srfenl.html

Best thing to do is to call your ISP and report it to them and have them stop this syn flood at their end before it gets to the outside interface of your router.

-KS

0 Helpful

rechard_hk
Level 1
Level 1
In response to abinjola

‎09-06-2010 03:06 AM

Dear abinjola

I would like to confirm from you that when i put command as below on my Cisco Router you mean that i can block DDos Attack -Sync Flood right?

but i'm not clear about command that you show me.

what does it mean max-incomplete high 20000000, one-minute high 100000000 and tcp max-incomplete host 100000 block-time 0?

ip inspect max-incomplete high 20000000

#

ip inspect one-minute high 100000000

#

ip inspect tcp max-incomplete host 100000 block-time 0

have any problem when i put this command because i worry when i put this command i connection down?

Thanks you for your issue!!!


Best Regards,
Rechard
0 Helpful

abinjola
Cisco Employee
Cisco Employee
In response to rechard_hk

‎09-06-2010 04:28 AM

Hi Rechard..Those are tcp connection values

ip inspect max-incomplete high value (default 500)---------------->embryonic connection upper threshold value
ip inspect max-incomplete low value (default 400)-------------------->embryonic connection lower threshold value
ip inspect one-minute high value (default 500)------------------------>total connection  in 1 minute, upper threshold
ip inspect one-minute low value (default 400)--------------------------->total connection in 1 min, lower threshold
ip inspect tcp max-incomplete host value (default 50) [block-time minutes (default 0)]

Therefore by implementing IOSFW in your router and tweaking these values you may protect your internal servers from being bombwarded by SYM flood or any DOS flood, keeping in mind if there is a trrue attack then your router will proctect your internal servers however router itself will take a toll on itself, ideally to mitigate an attack the thumb rule is to mitigate by going as close to the source of the attack as possible

you may also want to read:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd804e5098.html

0 Helpful

power.srvi
Level 1
Level 1
In response to abinjola

‎04-16-2012 06:57 AM

hello,

it doesn't work with cisco 8.4.1

i tryed many configuration and when i test my asa 5520 with a sysn attack it seems so weak it overload !!!

so strange i thinked that the 5520 asa was more strong  thant this .

0 Helpful

smatiwane
Level 1
Level 1
In response to power.srvi

‎11-08-2017 09:28 PM - edited ‎03-04-2020 08:16 AM

 
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card