Wednesday, June 25, 2014

ASA TCP intercept (syn-flood)




Syn-flood attack
1. attacker sends TCP syn
2. Server receives and sends back syn/ack
3. attacker doesn't send ack
4. Server waits ack signal

When there are a lot of  sessions waiting for acks, server resources are consumed.

Let's do syn flood attack (Kali Linux)

result of syn flood attack


The sessions that are waiting acks are 16421.


Solution

 ASA supports TCP intercept that protects server from syn-flood attack.


TCP intercept: ASA intercepts TCP syn when the waiting sessions are more than pre-configured limitation.

                       If you configure the limitation with maximum 7, and the SYN reaches 7 requests, ASA spoofs, and take over the syn signals after then.







Result

 I will send the syn flood attack again. In this time, there should be less than 8 sessions.

It shows 8 in use, but the last one is between DMZ and outside interfaces.
The sessions between attacker and web server are 7.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)