Tuesday, 29 September 2009


DOS and DDOS.... !

DOS or distributed denial-of-service attack is an attempt to make Computer or Any network resource unavailable to its intended users

To block and DoS attack, it is best to block the traffic as close to the source that is generating the attack As a solution we normally create ACL if the Port and IP address of attacking device is Known to us.

However Cisco PIX or ASA TCP Intercept feature can help protect resources from DoS attacks. This enables us to configure the maximum number simultanious allowed connectiones for the specific Resource and Limit the number of embryonic connections to any critical server.

Howvere Embryonic connections are connections that have not completed the TCP three-way handshake. whihc is also the type of a DOS attack

Here are some common types of DOS attack

  • ICMP Flood
  • SYN Flood
  • Tear Drop Attack
  • Distributed Denial of Service Attack (hardest to block)
A wide range of programs are used to launch DoS-attacks well it is considered as the easeast to launch and difficult to block.

If the embryonic connection limit is reached, the PIX Firewall responds to every SYN packet sent to the server with a SYN+ACK, and does not pass the SYN packet to the internal server.If the PIX/ ASA does not get an ACK back from the server, it aggressively times out that embryonic connection. threshold is defined as son as it is reached Firewall dont alow any trrafic to pass through

Cisco ASA uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets

The PIX/ASA also supports TCP normalization where you specify criteria that identify abnormal packets, which the security appliance drops when they are detected. This feature uses Modular Policy Framework, so that implementing TCP normalization consists of

  • Identifying traffic
  • Specifying the TCP normalization criteria
  • Activating TCP normalization on an interface.


  1. Good Article, But a question, Say you have 10 Gig of attack traffic coming from a botnet aimed at PIX/ASA Interface. and out of that 10G traafic 2 GB is ligitimate Traffic that should be pass through. How any Appliance possibally going to cope with that. Given that we have a record of 25GB of SQL DOS attacks around.
    Tariq Mansoor ( Melbourne )

  2. There are lot different solutions in the market claming to defend you against DOS specially DDOS when it spoofs your server farm IP and then IPS even cant help you any more , One of the approch says to increase the bandwidth which seems to be a bit crap (well its the solution) however there are some ISPs that market them self to willingly work with the client fighting with DOS AND DDOS i.e Cybercon.com

    there are a lot more concepts on whihc you can even write a book i would like to mention two for your satisfaction one is BGP blackholing and second Cisco Sells Anomaly detector and guard which protects large organization against DDOS at multi gigabit speed but need 6500 chasis and need to be implimented with hand to hand colaboration of your ISP As well

    Hope this would be a bit informative

  3. that means that Small Businnesses will rely on ISPs to fight DDOS, or Spend enough money to be able to do BGP Blackhole. and i think in cisco gaurd you still have to manually filter the traffic and needs to be in line ?

  4. On Cisco Modules at 6500 there are different Algos to hold DOS and DDOS attack , Its not totally manual and not atomated either