Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Controlling SYN flooding attack

We have a Cisco PIX 515E with pix ver. 6.3(4). We are receiving continuous SYN packets for one specific server. Can we control this attack by PIX 515E appliance. Pl advise how to do this if possible by PIX 515E.

Thanks in advance.



New Member

Re: Controlling SYN flooding attack


Well since to my knowledge you cant use the tcp normalization in 6.3 version so you pretty much are left to use the pix?s ids function

try this:

ip audit name PIX-IDS attack action reset

ip audit interface outside PIX-IDS

ip audit attack action reset

Note that you might need to disable som signatures depending on you network you can do that with this command:

ip audit signature disable

Look up the signatures here:

Hope this help you if you use 7.x version let me know then i can help you with a better config for normalisation of the tcp synflood


New Member

Re: Controlling SYN flooding attack

I thought the Pix only supported a limited set of IDS signatures and syn attacks wasn't one of them:

PIX# sh ip audit count

Signature Global

1000 I Bad IP Options List 0

1001 I Record Packet Route 0

1002 I Timestamp 0

1003 I Provide s,c,h,tcc 0

1004 I Loose Source Route 0

1005 I SATNET ID 0

1006 I Strict Source Route 0

1100 A IP Fragment Attack 0

1102 A Impossible IP Packet 0

1103 A IP Teardrop 0

2000 I ICMP Echo Reply 0

2001 I ICMP Unreachable 0

2002 I ICMP Source Quench 0

2003 I ICMP Redirect 0

2004 I ICMP Echo Request 0

2005 I ICMP Time Exceed 0

2006 I ICMP Parameter Problem 0

2007 I ICMP Time Request 0

2008 I ICMP Time Reply 0

2009 I ICMP Info Request 0

2010 I ICMP Info Reply 0

2011 I ICMP Address Mask Request 0

2012 I ICMP Address Mask Reply 0

2150 A Fragmented ICMP 0

2151 A Large ICMP 0

2154 A Ping of Death 0

3040 A TCP No Flags 0

3041 A TCP SYN & FIN Flags Only 0

3042 A TCP FIN Flag Only 0

3153 A FTP Improper Address 0

3154 A FTP Improper Port 0

4050 A Bomb 0

4051 A Snork 0

4052 A Chargen 0

6050 I DNS Host Info 0

6051 I DNS Zone Xfer 0

6052 I DNS Zone Xfer High Port 0

6053 I DNS All Records 0

6100 I RPC Port Registration 0

6101 I RPC Port Unregistration 0

6102 I RPC Dump 0

6103 A Proxied RPC 0

6150 I ypserv Portmap Request 0

6151 I ypbind Portmap Request 0

6152 I yppasswdd Portmap Request 0

6153 I ypupdated Portmap Request 0

6154 I ypxfrd Portmap Request 0

6155 I mountd Portmap Request 0

6175 I rexd Portmap Request 0

6180 I rexd Attempt 0

6190 A statd Buffer Overflow 0

Signature 3050 on the IPS is the signature for SYN attacks, but this is clearly not listed above.

New Member

Re: Controlling SYN flooding attack


Oupps correct it supports only a limited set of signatures i took it for granted that syn attacs was one of them

I will se if i can find something out for you ;)


New Member

Re: Controlling SYN flooding attack

What you can do to "conserve" the host being attacked is using the embryonic connection options in the static command.

You probably have a static configured for that host.

Check the static command in the manual:

New Member

Re: Controlling SYN flooding attack

Didn?t think of that one! :)

Also you can limit the embryonic connections in the nat command!

Example to limit embryonic sessions to 50:

nat (inside) 1 access-list Nat-List 0 50

on the static command:

static (inside,outside) yyy.yyy.yyy.yyy 0 50

CreatePlease to create content