Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AIP-SSM 40 and TCP Syn/Ack Attack

Hi,

Some of our sites are under constant attack with TCP Syn/Ack i.e Syn followed by an Ack and no Get HTTP. Would want the Firewall to hold the traffic until there is a geniune payload. Plz Help.

Here is the sequence

Attacker sends SYN

Server sends SYN/ACK

Attacker sends ACK

Server waits for the Get

We see 1000s of connections created in a sec.

Thx

Sundar

4 REPLIES
New Member

Re: AIP-SSM 40 and TCP Syn/Ack Attack

Hi,

PLease find the config in the attachment

Can someone tell me why the CPU goes 100% when the attack is not even 100 mbps of traffic. Is the throughput or performance of the ASA is the same when it is under attack too.

Thx in advance

New Member

Re: AIP-SSM 40 and TCP Syn/Ack Attack

Hi,

I am looking for a good Packet Generator tool to simulate a TCP Syn attack or DDOS attack. Could some one give me some inputs on this plz.

Is BackTrack a good tool or there any other good tools available.

Thx in advance.

Gold

Re: AIP-SSM 40 and TCP Syn/Ack Attack

You want to configure "TCP Intercept" on your firewall. One reason that a small (100 Mb/s) amount of traffic can saturate your sensor is that these attacks only require very small packets.

Once you start loading down the sensor with hundreds or thousands of attacks per second, the sensor gets pretty busy taking care of all the related functions (writing events to the event store, reporting to a manager, etc)

Sensor bandwidth sizing is not based on a huge number of attacks per second.

New Member

Re: AIP-SSM 40 and TCP Syn/Ack Attack

Thanks.

We have a 1 Gig Pipe and we found a 30 Mbps unwanted traffic with a session rate of 150+ Kpps. Do you think AIP-SSM-40 on a ASA 5540 can stand this kind of attack. Want to know how others mitigate this size of attack. Please share your experience. In the trace we saw a lot of TCP SYN followed by a ACK whether you send SYN/ACK or dont send it.

Cheers

Cheers

322
Views
0
Helpful
4
Replies
CreatePlease to create content