Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1996
Views
0
Helpful
1
Replies

how to identify a DDOS attack

mickyq
Level 1
Level 1

‎05-29-2014 03:30 AM - edited ‎03-11-2019 09:15 PM

Hi

I have a suspected DDOS attack goin on. Ive got a 5550 with software ver 8.0

Im looking for tcp sessions whitch dont complete the setup.

Im using the show local-host command but theres a lot of output to read through. Is this the best way to try and identfy tcp sessions.

In output: TCP flow count/limit = 3/unlimited

What would be considered abnormal?

Any help, command or advice would be appreciated.

thanks

 

 

1 person had this problem
Labels:
0 Helpful
1 Reply 1

pantelis1
Level 1
Level 1

‎05-29-2014 09:17 AM

Hi

It kind of depends on what kind of DDOOS /DOS attack you think you are getting. For example do you a abnormal number of high embryonic connection?

sh local-host | inc embryonic

By default value is zero (unlimited connections)

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s1.html#wp1424045

You can configure such limits as described : http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_connlimits.html

Thanks

Pantelis

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card