DOS or distributed denial-of-service attack is an attempt to make Computer or Any network resource unavailable to its intended users
To block and DoS attack, it is best to block the traffic as close to the source that is generating the attack As a solution we normally create ACL if the Port and IP address of attacking device is Known to us.
However Cisco PIX or ASA TCP Intercept feature can help protect resources from DoS attacks. This enables us to configure the maximum number simultanious allowed connectiones for the specific Resource and Limit the number of embryonic connections to any critical server.
Howvere Embryonic connections are connections that have not completed the TCP three-way handshake. whihc is also the type of a DOS attack
Here are some common types of DOS attack
- ICMP Flood
- SYN Flood
- Tear Drop Attack
- WIN NUKE
- Distributed Denial of Service Attack (hardest to block)
If the embryonic connection limit is reached, the PIX Firewall responds to every SYN packet sent to the server with a SYN+ACK, and does not pass the SYN packet to the internal server.If the PIX/ ASA does not get an ACK back from the server, it aggressively times out that embryonic connection. threshold is defined as son as it is reached Firewall dont alow any trrafic to pass through
Cisco ASA uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets
The PIX/ASA also supports TCP normalization where you specify criteria that identify abnormal packets, which the security appliance drops when they are detected. This feature uses Modular Policy Framework, so that implementing TCP normalization consists of
- Identifying traffic
- Specifying the TCP normalization criteria
- Activating TCP normalization on an interface.