Re: AIP-SSM 40 and TCP Syn/Ack Attack

subra4u · ‎08-28-2009

Hi,

Some of our sites are under constant attack with TCP Syn/Ack i.e Syn followed by an Ack and no Get HTTP. Would want the Firewall to hold the traffic until there is a geniune payload. Plz Help.

Here is the sequence

Attacker sends SYN

Server sends SYN/ACK

Attacker sends ACK

Server waits for the Get

We see 1000s of connections created in a sec.

Thx

Sundar

subra4u · ‎08-28-2009

Hi,

PLease find the config in the attachment

Can someone tell me why the CPU goes 100% when the attack is not even 100 mbps of traffic. Is the throughput or performance of the ASA is the same when it is under attack too.

Thx in advance

subra4u · ‎09-21-2009

Hi,

I am looking for a good Packet Generator tool to simulate a TCP Syn attack or DDOS attack. Could some one give me some inputs on this plz.

Is BackTrack a good tool or there any other good tools available.

Thx in advance.

rhermes · ‎09-21-2009

You want to configure "TCP Intercept" on your firewall. One reason that a small (100 Mb/s) amount of traffic can saturate your sensor is that these attacks only require very small packets.

Once you start loading down the sensor with hundreds or thousands of attacks per second, the sensor gets pretty busy taking care of all the related functions (writing events to the event store, reporting to a manager, etc)

Sensor bandwidth sizing is not based on a huge number of attacks per second.

subra4u · ‎09-21-2009

Thanks.

We have a 1 Gig Pipe and we found a 30 Mbps unwanted traffic with a session rate of 150+ Kpps. Do you think AIP-SSM-40 on a ASA 5540 can stand this kind of attack. Want to know how others mitigate this size of attack. Please share your experience. In the trace we saw a lot of TCP SYN followed by a ACK whether you send SYN/ACK or dont send it.

Cheers