https://community.cisco.com/t5/network-security/cisco-asa-ddos-mitigation/m-p/1817421#M416948 <HTML><HEAD></HEAD><BODY><P>Hi Jerome,</P><P></P><P>The ASA will automatically drop PSH-ACK packets that are not part of an existing connection, which will prevent your server(s) from ever receiving them. The endpoints must first complete a TCP 3-way handshake before these packets would be allowed. You'll see syslogs like this when the packets are dropped:</P><P></P><P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">%ASA-6-106015: Deny TCP (no connection) from 10.1.1.1/12345 to 192.168.1.1/80 flags PSH ACK on interface outside</PRE></P><P></P><P>-Mike</P></BODY></HTML> Tue, 20 Dec 2011 14:03:32 GMT mirober2 2011-12-20T14:03:32Z https://community.cisco.com/t5/network-security/cisco-asa-ddos-mitigation/m-p/1817420#M416941 <P>hi I have been reading ASA document defining how to defend DDoS attack specifically SYN Attack.</P><P></P><P>According to the document ASA can defense half open TCP connection. "SYN Attacks"</P><P></P><P>but what if the attack was a "PSH+ACK" AFAIK this is not considered half-open since there's no session related to it.</P><P></P><P>How does ASA defend against this?&nbsp; Are there any documetation or papers the discuss this?</P><P></P><P>tia,</P> Fri, 21 Feb 2020 12:30:42 GMT https://community.cisco.com/t5/network-security/cisco-asa-ddos-mitigation/m-p/1817420#M416941 jmacaranas 2020-02-21T12:30:42Z https://community.cisco.com/t5/network-security/cisco-asa-ddos-mitigation/m-p/1817421#M416948 <HTML><HEAD></HEAD><BODY><P>Hi Jerome,</P><P></P><P>The ASA will automatically drop PSH-ACK packets that are not part of an existing connection, which will prevent your server(s) from ever receiving them. The endpoints must first complete a TCP 3-way handshake before these packets would be allowed. You'll see syslogs like this when the packets are dropped:</P><P></P><P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">%ASA-6-106015: Deny TCP (no connection) from 10.1.1.1/12345 to 192.168.1.1/80 flags PSH ACK on interface outside</PRE></P><P></P><P>-Mike</P></BODY></HTML> Tue, 20 Dec 2011 14:03:32 GMT https://community.cisco.com/t5/network-security/cisco-asa-ddos-mitigation/m-p/1817421#M416948 mirober2 2011-12-20T14:03:32Z https://community.cisco.com/t5/network-security/cisco-asa-ddos-mitigation/m-p/1817422#M416957 <HTML><HEAD></HEAD><BODY><P>Does this mean if I see the mentioned syslog message that it is a DOS attack?<BR /><BR />Sent from Cisco Technical Support iPad App</P></BODY></HTML> Thu, 06 Jun 2013 17:20:59 GMT https://community.cisco.com/t5/network-security/cisco-asa-ddos-mitigation/m-p/1817422#M416957 helsayed78 2013-06-06T17:20:59Z