Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3028
Views
0
Helpful
2
Replies

Cisco ASA DDoS Mitigation

jmacaranas
Level 1
Level 1

‎11-24-2011 04:31 PM - edited ‎02-21-2020 04:30 AM

hi I have been reading ASA document defining how to defend DDoS attack specifically SYN Attack.

According to the document ASA can defense half open TCP connection. "SYN Attacks"

but what if the attack was a "PSH+ACK" AFAIK this is not considered half-open since there's no session related to it.

How does ASA defend against this?  Are there any documetation or papers the discuss this?

tia,

0 Helpful
2 Replies 2

mirober2
Cisco Employee
Cisco Employee

‎12-20-2011 06:03 AM

Hi Jerome,

The ASA will automatically drop PSH-ACK packets that are not part of an existing connection, which will prevent your server(s) from ever receiving them. The endpoints must first complete a TCP 3-way handshake before these packets would be allowed. You'll see syslogs like this when the packets are dropped:

%ASA-6-106015: Deny TCP (no connection) from 10.1.1.1/12345 to 192.168.1.1/80 flags PSH ACK on interface outside

-Mike

0 Helpful

helsayed78
Level 1
Level 1
In response to mirober2

‎06-06-2013 10:20 AM

Does this mean if I see the mentioned syslog message that it is a DOS attack?

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card