cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3135
Views
0
Helpful
2
Replies

Cisco ASA DDoS Mitigation

jmacaranas
Level 1
Level 1

hi I have been reading ASA document defining how to defend DDoS attack specifically SYN Attack.

According to the document ASA can defense half open TCP connection. "SYN Attacks"

but what if the attack was a "PSH+ACK" AFAIK this is not considered half-open since there's no session related to it.

How does ASA defend against this?  Are there any documetation or papers the discuss this?

tia,

2 Replies 2

mirober2
Cisco Employee
Cisco Employee

Hi Jerome,

The ASA will automatically drop PSH-ACK packets that are not part of an existing connection, which will prevent your server(s) from ever receiving them. The endpoints must first complete a TCP 3-way handshake before these packets would be allowed. You'll see syslogs like this when the packets are dropped:

%ASA-6-106015: Deny TCP (no connection) from 10.1.1.1/12345 to 192.168.1.1/80 flags PSH ACK on interface outside

-Mike

Does this mean if I see the mentioned syslog message that it is a DOS attack?

Sent from Cisco Technical Support iPad App

Review Cisco Networking for a $25 gift card