IOS DoS defense causes DoS to itself:)

Discussion in 'Cisco' started by Igor Mamuziæ, May 12, 2006.

  1. Can I somehow skip IOS fw maximum tcp half-open "sessions" control (DoS
    countermeasure) for certain amounts of traffic (matched by ACL)? I saw
    several times (including today) that internal hosts (mostly infected by
    virus) reaches upper threshold defined for half-opened connections and then
    router run into trouble with forwarding other legal traffic. If you then
    just remove ip inspect rule from interface then, for example web browsing
    performance comes to normal. So, it would be nice if I could only log
    excessive number of half-opened connections instead of terminating it.

    Of course, Cisco TAC suggests that you block unnecessary outbound
    connections to keep half-opened conn. rate below upper threshold, but
    sometimes it's not acceptable - you don't want to block any traffic if you
    are not sure that this is a virus and this is my situation in which my
    routers are used in small ISP, so it's "unethically" to block customer
    traffic:)

    B.R.
    Igor
     
    Igor Mamuziæ, May 12, 2006
    #1
    1. Advertisements

  2. Igor Mamuziæ

    tippenring Guest

    You can adjust the max value for half-open sessions, and most other ip
    inspect values.

    On a side note: If your policy is not to block traffic, then why use ip
    inspect on your customer traffic at all?
     
    tippenring, May 14, 2006
    #2
    1. Advertisements

  3. Igor Mamuziæ

    Igor Mamuzic Guest

    If you go with tuning (as I do) then you have to make these ip inspect
    values very high, but it would be nice if you could set up different values
    for a different types of traffic selected by acl or route-map.

    I need ip inspect since my customers are using the same interfaces as I do
    and this IOS firewall protects my internal network.

    B.R.
    Igor

    "tippenring" <> wrote in message
    news:...
    > You can adjust the max value for half-open sessions, and most other ip
    > inspect values.
    >
    > On a side note: If your policy is not to block traffic, then why use ip
    > inspect on your customer traffic at all?
    >
     
    Igor Mamuzic, May 20, 2006
    #3
    1. Advertisements

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads
  1. Roger Johnson

    In Defense of Ron Williams

    Roger Johnson, Aug 18, 2003, in forum: MCSE
    Replies:
    4
    Views:
    818
    dpipan
    Aug 19, 2003
  2. TechNews

    Department of Defense Relies On Linux

    TechNews, May 27, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    549
    TechNews
    May 27, 2004
  3. =?ISO-8859-1?Q?R=F4g=EAr?=

    Panda Software Claims Zero-Day Virus Defense

    =?ISO-8859-1?Q?R=F4g=EAr?=, May 6, 2005, in forum: Computer Support
    Replies:
    3
    Views:
    578
  4. PTRAVEL

    In defense of Tokina

    PTRAVEL, Aug 11, 2003, in forum: Digital Photography
    Replies:
    1
    Views:
    571
    Mark M
    Aug 11, 2003
  5. AceoHearts

    Defense of Multi-Packs

    AceoHearts, Sep 12, 2004, in forum: DVD Video
    Replies:
    1
    Views:
    398
    Galley
    Sep 13, 2004
  6. Dan

    plan of defense

    Dan, Dec 29, 2003, in forum: Computer Security
    Replies:
    5
    Views:
    689
  7. Mike Rahl
    Replies:
    1
    Views:
    2,266
    Trendkill
    May 30, 2007
  8. Skip Tomylew

    What causes a PC to shut down and reboot by itself?

    Skip Tomylew, Nov 9, 2004, in forum: A+ Certification
    Replies:
    4
    Views:
    1,148
Loading...