As far as DDOS/DOS/SYN attack mitigation goes, there are a few things that the ASA can do to minimize these effects. Leveraging Modular Policy Framework (MPF) and Static NAT configuration, you can limit the amount of TCP connections and embryonic connections on the ASA on a per-host or per-traffic type basis. Also, by using MPF, you can also limit an inside host also DoSing your network. If you are using an ASA, there is also the BotNet feature that will dynamically detect and react to the traffic, blocking the traffic to the malicious hosts.
To detect a guilty host, one command that I like to use is 'show local | inc host|count/limit'. Guilty hosts on the inside, that may have become infected with a Virus or Malware can also be detected leveraging the BotNet Feature.
These tools will assist you in isolating what host is indeed DoSing your network but this still requires your ASA to process the packet - taking away valuable bandwidth (traffic and CPU-wise) away from legitimate traffic. Once you identify the guilty host, you can then call your ISP or upstream router manager and have them "blackhole" the guilty host. Here are a few useful links in ASA 8.2:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...