IOS DoS defense causes DoS to itself:)

Discussion in 'Cisco' started by Igor Mamuziæ, May 12, 2006.

  1. Can I somehow skip IOS fw maximum tcp half-open "sessions" control (DoS
    countermeasure) for certain amounts of traffic (matched by ACL)? I saw
    several times (including today) that internal hosts (mostly infected by
    virus) reaches upper threshold defined for half-opened connections and then
    router run into trouble with forwarding other legal traffic. If you then
    just remove ip inspect rule from interface then, for example web browsing
    performance comes to normal. So, it would be nice if I could only log
    excessive number of half-opened connections instead of terminating it.

    Of course, Cisco TAC suggests that you block unnecessary outbound
    connections to keep half-opened conn. rate below upper threshold, but
    sometimes it's not acceptable - you don't want to block any traffic if you
    are not sure that this is a virus and this is my situation in which my
    routers are used in small ISP, so it's "unethically" to block customer
    traffic:)

    B.R.
    Igor
     
    Igor Mamuziæ, May 12, 2006
    #1
    1. Advertising

  2. Igor Mamuziæ

    tippenring Guest

    You can adjust the max value for half-open sessions, and most other ip
    inspect values.

    On a side note: If your policy is not to block traffic, then why use ip
    inspect on your customer traffic at all?
     
    tippenring, May 14, 2006
    #2
    1. Advertising

  3. Igor Mamuziæ

    Igor Mamuzic Guest

    If you go with tuning (as I do) then you have to make these ip inspect
    values very high, but it would be nice if you could set up different values
    for a different types of traffic selected by acl or route-map.

    I need ip inspect since my customers are using the same interfaces as I do
    and this IOS firewall protects my internal network.

    B.R.
    Igor

    "tippenring" <> wrote in message
    news:...
    > You can adjust the max value for half-open sessions, and most other ip
    > inspect values.
    >
    > On a side note: If your policy is not to block traffic, then why use ip
    > inspect on your customer traffic at all?
    >
     
    Igor Mamuzic, May 20, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Roger Johnson

    In Defense of Ron Williams

    Roger Johnson, Aug 18, 2003, in forum: MCSE
    Replies:
    4
    Views:
    547
    dpipan
    Aug 19, 2003
  2. Microcephalic S. Bob

    OT: Non-lethal violence in self defense

    Microcephalic S. Bob, Oct 22, 2005, in forum: MCSE
    Replies:
    49
    Views:
    1,490
  3. 5.5 cents

    OT: Your first line of defense against phishing

    5.5 cents, May 25, 2004, in forum: Computer Support
    Replies:
    7
    Views:
    512
    °Mike°
    May 25, 2004
  4. Mike Rahl
    Replies:
    1
    Views:
    1,358
    Trendkill
    May 30, 2007
  5. Skip Tomylew

    What causes a PC to shut down and reboot by itself?

    Skip Tomylew, Nov 9, 2004, in forum: A+ Certification
    Replies:
    4
    Views:
    916
Loading...

Share This Page