Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA DDoS Mitigation

hi I have been reading ASA document defining how to defend DDoS attack specifically SYN Attack.

According to the document ASA can defense half open TCP connection. "SYN Attacks"

but what if the attack was a "PSH+ACK" AFAIK this is not considered half-open since there's no session related to it.

How does ASA defend against this?  Are there any documetation or papers the discuss this?


Cisco Employee

Cisco ASA DDoS Mitigation

Hi Jerome,

The ASA will automatically drop PSH-ACK packets that are not part of an existing connection, which will prevent your server(s) from ever receiving them. The endpoints must first complete a TCP 3-way handshake before these packets would be allowed. You'll see syslogs like this when the packets are dropped:

%ASA-6-106015: Deny TCP (no connection) from to flags PSH ACK on interface outside


New Member

Re: Cisco ASA DDoS Mitigation

Does this mean if I see the mentioned syslog message that it is a DOS attack?

Sent from Cisco Technical Support iPad App

CreatePlease login to create content