Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2984
Views
4
Helpful
1
Replies

ASA5510 under constant TCP SYN attack

Go to solution
kiranoddiraju
Level 1
Level 1

‎07-29-2017 03:02 AM - edited ‎03-12-2019 02:45 AM

Hi guys,

One of my clients ASA5510 is under constant attack.It's a different IP address and port all the time. We have created a Rule on the firewall to Deny these sources but it's a new IP address every 10-15 mins. I have also verified that 'IP  verify reverse-path on the outside interface.

Jul 28 17:21:14 172.26.11.50 %ASA-4-419002: Duplicate TCP SYN from outside:51.254.249.187/1337 to DMZ:LM-VIP-HC-INText/80 with different initial sequence number
Jul 28 17:21:15 172.26.11.50 %ASA-3-201011: Connection limit exceeded 924/10000 for input packet from LM-VIP-AUSext/443 to 202.134.14.143/28009 on interface DMZ
Jul 28 17:21:15 172.26.11.50 %ASA-3-201011: Connection limit exceeded 927/10000 for input packet from LM-VIP-AUSext/443 to 202.134.14.143/28010 on interface DMZ
We are struggling to contain this attack. Should we create a Rule based on TCP SYN flags? Any help would be highly appreciated. 
Thanks
KO
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎07-29-2017 03:24 AM

There is not that much that you can do here and "ip verify reverse-path" can't help as your default route is pointing to the internet. Some options:

  1. TCP intercept on the ASA: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/conns_connlimits.html#51287
    Here your ASA will answer the TCP SYN and your host gets protected.
  2. Protection on the host itself. Today, every modern Server-OS has build-in DOS protection. You should enable that.
  3. If the problem is going on, there are ISPs offering DOS-protection.

View solution in original post

1 Reply 1

Go to solution
Karsten Iwen
VIP
VIP

‎07-29-2017 03:24 AM

There is not that much that you can do here and "ip verify reverse-path" can't help as your default route is pointing to the internet. Some options:

  1. TCP intercept on the ASA: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/conns_connlimits.html#51287
    Here your ASA will answer the TCP SYN and your host gets protected.
  2. Protection on the host itself. Today, every modern Server-OS has build-in DOS protection. You should enable that.
  3. If the problem is going on, there are ISPs offering DOS-protection.
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card