Detecting DDoS/DoS on ASA w AIP-SSM

Amir Asfandyarov · ‎12-23-2009

Hello!

I'm battling with one problem - I need to detect and (attention) to produce an alert (say, an e-mail alert) after the detection of a DDoS attack - let's take TCP Syn Flood on a particular IP.

What I have: MARS and ASA/AIP-SSM which is controlled via Cisco Security Manager.

As far as I know, AIP-SSM does not support Normalizer signature (3050 for TCP SYN) so it will never fire an alert for this (but this could definitely solve my problem) And ASA has basic threat-detection capabilities and it produces an ASA-4-733100 syslog event after detecting a threat.

But as far as I know I can't a) configure more sophisticated parameters of the ASA's threat-detection on CSM as it doesn't support this in it's interface (at least 3.3.1 version) b) MARS (6.0.4 in my case) also doesn't know anything about this feature (am I right?)

So I can either a) use a Flex-config on CSM to tune the threat-detection feature and write custom parser on MARS b) write custom rule on MARS to catch all the "Built TCP-connection" and "Teardown TCP .... with SYN" messages and to produce alert after hitting a threshold

But may be there is a more straightforward way to do this? Who can advise?

Regards, Amir

vlmacko · ‎12-31-2009

Hi Amir,

did you try use "anomaly detection" feature on IPS module ?

I think, this can help to identify "attack" for your host ..

Regards,

Vladimir

Amir Asfandyarov · ‎01-05-2010

Hi,

Vladimir, thanks for your reply.

Yes, I've tried to use this but may be I've tuned it the wrong way - I am sure it will detec host/ports scans/sweeps but can it discover SYN or FIN floods (I mean, a lot of connections to one host with the same TCP-flag, for eg? I didn't find anything near that.

May be I'm wrong?

Regards, Amir.