End a Single Session DoS Attack

To mitigate a single-session DoS attack, you would still Configure DoS Protection Against Flooding of New Sessions in advance. At some point after you configure the feature, a session might be established before you realize a DoS attack (from the IP address of that session) is underway. When you see a single-session DoS attack, perform the following task to end the session, so that subsequent connection attempts from that IP address trigger the DoS protection against flooding of new sessions.
  1. Identify the source IP address that is causing the attack.
    For example, use the firewall Packet Capture feature with a destination filter to collect a sample of the traffic going to the destination IP address. Alternatively, use the ACC to filter on destination address to view the activity to the target host being attacked.
  2. Create a DoS Protection policy rule that will block the attacker’s IP address after the attack thresholds are exceeded.
  3. Create a Security policy rule to deny the source IP address and its attack traffic.
  4. End any existing attacks from the attacking source IP address by executing the
    clear session all filter source
    <ip-address>
    operational command.
    Alternatively, if you know the session ID, you can execute the
    clear session id
    <value>
    command to end that session only.
    If you use the
    clear session all filter source
    <ip-address>
    command, all sessions matching the source IP address are discarded, which can include both good and bad sessions.
    After you end the existing attack session, any subsequent attempts to form an attack session are blocked by the Security policy. The DoS Protection policy counts all connection attempts toward the thresholds. When the Max Rate threshold is exceeded, the source IP address is blocked for the Block Duration, as described in Multiple-Session DoS Attack.

Related Documentation