https://community.cisco.com/t5/network-security/suspected-ddos-syn-flood-attack/m-p/1672391#M536853 <HTML><HEAD></HEAD><BODY><P> Hi,</P><P></P><P>On ASA access rules, SSH is opened for the inside server from outside IPs? If so, is it restricted? </P><P></P><P>please see the below link that might provide some helpful information.</P><P></P><P><A href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml">http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml</A></P><P></P><P>hth</P><P>MS</P></BODY></HTML> Thu, 30 Jun 2011 16:06:16 GMT mvsheik123 2011-06-30T16:06:16Z https://community.cisco.com/t5/network-security/suspected-ddos-syn-flood-attack/m-p/1672390#M536852 <P>ASA5520 v8.3(2) OS</P><P>I'm seeing connection bursts every 2 minutes to my internal SSH server</P><P>Conns during that time peak at &gt; 1500/sec - normal is 100/sec</P><P>Inbound bandwidth usage goes from 4Mbit/sec to &gt; 30Mbit/sec</P><P>CPU usage spikes above 60%</P><P></P><P>When I do a "show conn' the oustanding type looks like:</P><P>TCP outside AA.BB.CC.DD:11510 inside XXX.YYY.XXX.ZZZ:22, idle 0:00:00, bytes 0, flags aB</P><P>Note the 'bytes 0, flags aB'</P><P></P><P>What do I need to do to mitigate this?&nbsp; I don't have an AIP-SSC in the 5520.</P><P></P><P>Thx</P> Mon, 11 Mar 2019 20:53:23 GMT https://community.cisco.com/t5/network-security/suspected-ddos-syn-flood-attack/m-p/1672390#M536852 Phil Williamson 2019-03-11T20:53:23Z https://community.cisco.com/t5/network-security/suspected-ddos-syn-flood-attack/m-p/1672391#M536853 <HTML><HEAD></HEAD><BODY><P> Hi,</P><P></P><P>On ASA access rules, SSH is opened for the inside server from outside IPs? If so, is it restricted? </P><P></P><P>please see the below link that might provide some helpful information.</P><P></P><P><A href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml">http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml</A></P><P></P><P>hth</P><P>MS</P></BODY></HTML> Thu, 30 Jun 2011 16:06:16 GMT https://community.cisco.com/t5/network-security/suspected-ddos-syn-flood-attack/m-p/1672391#M536853 mvsheik123 2011-06-30T16:06:16Z https://community.cisco.com/t5/network-security/suspected-ddos-syn-flood-attack/m-p/1672392#M536854 <HTML><HEAD></HEAD><BODY><P>Yes, this is an unrestriced server.</P><P>I've tried the code in that link, previously and it does not seem to make any difference.</P><P></P><P>Thoughts?</P><P>Thx</P><P>PW</P></BODY></HTML> Thu, 30 Jun 2011 16:26:41 GMT https://community.cisco.com/t5/network-security/suspected-ddos-syn-flood-attack/m-p/1672392#M536854 Phil Williamson 2011-06-30T16:26:41Z https://community.cisco.com/t5/network-security/suspected-ddos-syn-flood-attack/m-p/1672393#M536855 <HTML><HEAD></HEAD><BODY><P>Nope...;-) but I would move the server to DMZ, if possible. Also try clear the xlate for the server and see if that helps anything.</P><P></P><P>Thx</P><P>MS</P></BODY></HTML> Thu, 30 Jun 2011 16:41:59 GMT https://community.cisco.com/t5/network-security/suspected-ddos-syn-flood-attack/m-p/1672393#M536855 mvsheik123 2011-06-30T16:41:59Z https://community.cisco.com/t5/network-security/suspected-ddos-syn-flood-attack/m-p/1672394#M536856 <HTML><HEAD></HEAD><BODY><P> It is basically in a DMZ since it's the ony server behind the ASA.</P><P>Can't clear xlates - would being down 2K+ legit connections.</P><P></P><P>I did make a few changes to the code in your link:</P><P>!</P><P>class-map TCP_SYN</P><P> match port tcp eq ssh</P><P>!</P><P>policy-map TCPMAP</P><P> class TCP_SYN</P><P>&nbsp; set connection conn-max 10000 embryonic-conn-max 200 per-client-max 25 per-client-embryonic-max 5</P><P>&nbsp; set connection timeout half-closed 0:05:00 idle 1:00:00</P><P>!</P><P>service-policy TCPMAP interface outside</P><P>!</P><P></P><P>Questions:</P><P>Is the conn-max the # of conns allowed to my internal server of from any one external source?&nbsp; Maybe I have this set too high?</P><P>Ditto for embryonic-conn-max, per-client-max and per-client-embryonic-max ??</P><P></P><P>Thx</P></BODY></HTML> Thu, 30 Jun 2011 16:51:24 GMT https://community.cisco.com/t5/network-security/suspected-ddos-syn-flood-attack/m-p/1672394#M536856 Phil Williamson 2011-06-30T16:51:24Z https://community.cisco.com/t5/network-security/suspected-ddos-syn-flood-attack/m-p/1672395#M536857 <HTML><HEAD></HEAD><BODY><P> Hi,</P><P></P><P>The conn Max# and per client max# totally depends your infra requirements and how many the server can support (not sure if there any such restriction on server end). But I wouldn't allow any client to open more than 5 max connection and simutaneous conn max# 100-200. In otherwords, always starts from low number and if you there is any connectivity issues you can increase anytime. </P><P></P><P>hth</P><P>MS</P></BODY></HTML> Thu, 30 Jun 2011 17:19:29 GMT https://community.cisco.com/t5/network-security/suspected-ddos-syn-flood-attack/m-p/1672395#M536857 mvsheik123 2011-06-30T17:19:29Z