Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Does Cisco ASA 5500 can protect DDos Attack - Sync Flood?

Dear All,

Anyone do you know Cisco ASA 5510 or 5520 can protect DDos attack ans sync flood ?

I have problem on this, so how can i protect on this, some time i saw on my log like this

"sync flood " or "ddos to xxx.xxx.xxx.xxx" the ip address random .


Please help me to solve this issue?

Best Regards,

Rechard

8 REPLIES
Cisco Employee

Re: Does Cisco ASA 5500 can protect DDos Attack - Sync Flood?

Hi , You can do couple things like:

a)Use ebryonic limit and tcp conn limit in static Xlate

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075

b)Use set connection max or set connection per-client-max option

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395814

Or if you have SSM then you have enable SYN DOS flood signature which will take care of this

hth

--regards

New Member

Re: Does Cisco ASA 5500 can protect DDos Attack - Sync Flood?

Dear abinjola,

Thanks you for you help!!!

i'm not clear about your link that you send to me!!!

could you let me know more than this?

any way could i ask you about Cisco router can block DDos Attack - sync flood or not?

i have cisco router 3845, if can please let me know command How to block it?

Thanks your gain!!!

Best Regads,

Rechard

Cisco Employee

Re: Does Cisco ASA 5500 can protect DDos Attack - Sync Flood?

Hi Rechard,

Those ASA links basically describes mitigation techniques on ASA, for example if you are using static then you may limit no. of total connections/embryonic connections

static (intf1,intf2) x.x.x.x.x tcp < conn count>

Also using MPF(as described in other link) you may configure per-client-max or conn-max or conn-embryonic options etc which means how many connections from one specific client or how many total no. of connections on a specific web-server would ASA allow.example

hostname(config-pmap-c)# set connection conn-max 600
hostname(config-pmap-c)# set connection embryonic-conn-max 50

On ASA if you have SSM module then you may enable signatures as well to mitigate DOS/DDOS/SYN-FLOOD, alternatively on router you may configure IOSFW and set the following options

ip inspect max-incomplete high 20000000

ip inspect one-minute high 100000000

ip inspect tcp max-incomplete host 100000 block-time 0


let me know in case you need some more details

Cisco Employee

Re: Does Cisco ASA 5500 can protect DDos Attack - Sync Flood?

If this is a router then the method is to enable TCP intercept.

http://ciscosystems.com/en/US/docs/ios/12_2/security/command/reference/srfenl.html

Best thing to do is to call your ISP and report it to them and have them stop this syn flood at their end before it gets to the outside interface of your router.

-KS

New Member

Re: Does Cisco ASA 5500 can protect DDos Attack - Sync Flood?

Dear abinjola

I would like to confirm from you that when i put command as below on my Cisco Router you mean that i can block DDos Attack -Sync Flood right?

but i'm not clear about command that you show me.

what does it mean max-incomplete high 20000000, one-minute high 100000000 and tcp max-incomplete host 100000 block-time 0?

ip inspect max-incomplete high 20000000

#

ip inspect one-minute high 100000000

#

ip inspect tcp max-incomplete host 100000 block-time 0

have any problem when i put this command because i worry when i put this command i connection down?

Thanks you for your issue!!!


Best Regards,
Rechard
Cisco Employee

Re: Does Cisco ASA 5500 can protect DDos Attack - Sync Flood?

Hi Rechard..Those are tcp connection values

ip inspect max-incomplete high value (default 500)---------------->embryonic connection upper threshold value
ip inspect max-incomplete low value (default 400)-------------------->embryonic connection lower threshold value
ip inspect one-minute high value (default 500)------------------------>total connection  in 1 minute, upper threshold
ip inspect one-minute low value (default 400)--------------------------->total connection in 1 min, lower threshold
ip inspect tcp max-incomplete host value (default 50) [block-time minutes (default 0)]

Therefore by implementing IOSFW in your router and tweaking these values you may protect your internal servers from being bombwarded by SYM flood or any DOS flood, keeping in mind if there is a trrue attack then your router will proctect your internal servers however router itself will take a toll on itself, ideally to mitigate an attack the thumb rule is to mitigate by going as close to the source of the attack as possible

you may also want to read:

New Member

Does Cisco ASA 5500 can protect DDos Attack - Sync Flood?

hello,

it doesn't work with cisco 8.4.1

i tryed many configuration and when i test my asa 5520 with a sysn attack it seems so weak it overload !!!

so strange i thinked that the 5520 asa was more strong  thant this .

Re: Does Cisco ASA 5500 can protect DDos Attack - Sync Flood?

did you ever resolve this? my ASA 5525 overload there is a sysn attack.
27734
Views
0
Helpful
8
Replies
CreatePlease to create content