Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA DDoS Mitigation

hi I have been reading ASA document defining how to defend DDoS attack specifically SYN Attack.

According to the document ASA can defense half open TCP connection. "SYN Attacks"

but what if the attack was a "PSH+ACK" AFAIK this is not considered half-open since there's no session related to it.

How does ASA defend against this?  Are there any documetation or papers the discuss this?

tia,

2 REPLIES
Cisco Employee

Cisco ASA DDoS Mitigation

Hi Jerome,

The ASA will automatically drop PSH-ACK packets that are not part of an existing connection, which will prevent your server(s) from ever receiving them. The endpoints must first complete a TCP 3-way handshake before these packets would be allowed. You'll see syslogs like this when the packets are dropped:

%ASA-6-106015: Deny TCP (no connection) from 10.1.1.1/12345 to 192.168.1.1/80 flags PSH ACK on interface outside

-Mike

New Member

Re: Cisco ASA DDoS Mitigation

Does this mean if I see the mentioned syslog message that it is a DOS attack?

Sent from Cisco Technical Support iPad App

2617
Views
0
Helpful
2
Replies
CreatePlease login to create content