ASA DDoS protection

Cisco ASA devices provide basic DoS attack detection by monitoring the rates at which packets are dropped for various reasons. It generates statistics that can then be analyzed, and the type of attack being experienced can be determined.

Distributed DoS attacks (DDoS) are a different story. Because these are by definition distributed, it is not possible for an ASA to detect them, let alone protect against them, because of the fact that there are many different sources of such attacks by the “distributed” definition. In order to achieve this, you would need to use a Next-Generation FireWall (NGFW) such as Cisco FirePower or similar products from other vendors.