Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Detecting DDoS/DoS on ASA w AIP-SSM


I'm battling with one problem - I need to detect and (attention) to produce an alert (say, an e-mail alert) after the detection of a DDoS attack - let's take TCP Syn Flood on a particular IP.

What I have: MARS and ASA/AIP-SSM which is controlled via Cisco Security Manager.

As far as I know, AIP-SSM does not support Normalizer signature (3050 for TCP SYN) so it will never fire an alert for this (but this could definitely solve my problem)  And ASA has basic threat-detection capabilities and it produces an ASA-4-733100 syslog event after detecting a threat.

But as far as I know I can't a) configure more sophisticated parameters of the ASA's threat-detection on CSM as it doesn't support this in it's interface (at least 3.3.1 version) b) MARS (6.0.4 in my case) also doesn't know anything about this feature (am I right?)

So I can either a) use a Flex-config on CSM to tune the threat-detection feature and write custom parser on MARS b) write custom rule on MARS to catch all the "Built TCP-connection" and "Teardown TCP .... with SYN" messages and to produce alert after hitting a threshold

But may be there is a more straightforward way to do this? Who can advise?

Regards, Amir

Everyone's tags (2)
Community Member

Re: Detecting DDoS/DoS on ASA w AIP-SSM

Hi Amir,

did you try use "anomaly detection" feature on IPS module ?

I think, this can help to identify "attack" for your host  ..



Community Member

Re: Detecting DDoS/DoS on ASA w AIP-SSM


Vladimir, thanks for your reply.

Yes, I've tried to use this but may be I've tuned it the wrong way - I am sure it will detec host/ports scans/sweeps but can it discover SYN or FIN floods (I mean, a lot of connections to one host with the same TCP-flag, for eg?  I didn't find anything near that.

May be I'm wrong?

Regards, Amir.

CreatePlease to create content