11-24-2011 04:31 PM - edited 02-21-2020 04:30 AM
hi I have been reading ASA document defining how to defend DDoS attack specifically SYN Attack.
According to the document ASA can defense half open TCP connection. "SYN Attacks"
but what if the attack was a "PSH+ACK" AFAIK this is not considered half-open since there's no session related to it.
How does ASA defend against this? Are there any documetation or papers the discuss this?
tia,
12-20-2011 06:03 AM
Hi Jerome,
The ASA will automatically drop PSH-ACK packets that are not part of an existing connection, which will prevent your server(s) from ever receiving them. The endpoints must first complete a TCP 3-way handshake before these packets would be allowed. You'll see syslogs like this when the packets are dropped:
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.1/12345 to 192.168.1.1/80 flags PSH ACK on interface outside
-Mike
06-06-2013 10:20 AM
Does this mean if I see the mentioned syslog message that it is a DOS attack?
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide