Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > IOS DoS defense causes DoS to itself:)

Reply
Thread Tools

IOS DoS defense causes DoS to itself:)

 
 
Igor MamuziŠ
Guest
Posts: n/a
 
      05-12-2006
Can I somehow skip IOS fw maximum tcp half-open "sessions" control (DoS
countermeasure) for certain amounts of traffic (matched by ACL)? I saw
several times (including today) that internal hosts (mostly infected by
virus) reaches upper threshold defined for half-opened connections and then
router run into trouble with forwarding other legal traffic. If you then
just remove ip inspect rule from interface then, for example web browsing
performance comes to normal. So, it would be nice if I could only log
excessive number of half-opened connections instead of terminating it.

Of course, Cisco TAC suggests that you block unnecessary outbound
connections to keep half-opened conn. rate below upper threshold, but
sometimes it's not acceptable - you don't want to block any traffic if you
are not sure that this is a virus and this is my situation in which my
routers are used in small ISP, so it's "unethically" to block customer
traffic

B.R.
Igor



 
Reply With Quote
 
 
 
 
tippenring
Guest
Posts: n/a
 
      05-14-2006
You can adjust the max value for half-open sessions, and most other ip
inspect values.

On a side note: If your policy is not to block traffic, then why use ip
inspect on your customer traffic at all?

 
Reply With Quote
 
 
 
 
Igor Mamuzic
Guest
Posts: n/a
 
      05-19-2006
If you go with tuning (as I do) then you have to make these ip inspect
values very high, but it would be nice if you could set up different values
for a different types of traffic selected by acl or route-map.

I need ip inspect since my customers are using the same interfaces as I do
and this IOS firewall protects my internal network.

B.R.
Igor

"tippenring" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> You can adjust the max value for half-open sessions, and most other ip
> inspect values.
>
> On a side note: If your policy is not to block traffic, then why use ip
> inspect on your customer traffic at all?
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
instructions on how to perform an IOS upgrade on a Catalyst 6500 switch (IOS to IOS) Mike Rahl Cisco 1 05-30-2007 05:22 PM
OT: Non-lethal violence in self defense Microcephalic S. Bob MCSE 49 11-04-2005 04:06 PM
OT: Your first line of defense against phishing 5.5 cents Computer Support 7 05-25-2004 07:56 PM
Postback causes 100=Continue, causes double download prompt? Xavier Osa ASP .Net 0 01-09-2004 11:17 AM
In Defense of Ron Williams Roger Johnson MCSE 4 08-19-2003 03:27 AM



Advertisments