IOS DoS defense causes DoS to itself:)

Discussion in 'Cisco' started by Igor Mamuziæ, May 12, 2006.

  1. Can I somehow skip IOS fw maximum tcp half-open "sessions" control (DoS
    countermeasure) for certain amounts of traffic (matched by ACL)? I saw
    several times (including today) that internal hosts (mostly infected by
    virus) reaches upper threshold defined for half-opened connections and then
    router run into trouble with forwarding other legal traffic. If you then
    just remove ip inspect rule from interface then, for example web browsing
    performance comes to normal. So, it would be nice if I could only log
    excessive number of half-opened connections instead of terminating it.

    Of course, Cisco TAC suggests that you block unnecessary outbound
    connections to keep half-opened conn. rate below upper threshold, but
    sometimes it's not acceptable - you don't want to block any traffic if you
    are not sure that this is a virus and this is my situation in which my
    routers are used in small ISP, so it's "unethically" to block customer

    Igor Mamuziæ, May 12, 2006
    1. Advertisements

  2. Igor Mamuziæ

    tippenring Guest

    You can adjust the max value for half-open sessions, and most other ip
    inspect values.

    On a side note: If your policy is not to block traffic, then why use ip
    inspect on your customer traffic at all?
    tippenring, May 14, 2006
    1. Advertisements

  3. Igor Mamuziæ

    Igor Mamuzic Guest

    If you go with tuning (as I do) then you have to make these ip inspect
    values very high, but it would be nice if you could set up different values
    for a different types of traffic selected by acl or route-map.

    I need ip inspect since my customers are using the same interfaces as I do
    and this IOS firewall protects my internal network.

    Igor Mamuzic, May 20, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.