Defining Strategies to Protect Against TCP SYN Denial of Service Attacks
Configuring TCP Intercept (Prevent Denial-of-Service Attacks)
Denial of Service Tuning for Cisco IOS Software Firewall and IPS
Is the TCP Intercept feature needed with Context-Based Access Control (CBAC)?Cisco IOS Intrusion Detection System (IDS)/CBAC and the TCP Intercept feature work independently of each other and, should not be used together due to the fact that they use the same internal engine.
Detecting DoS Attacks
1, Tuning parameters for Cisco IOS Software Firewall and IPS
Default Values
DoS Protection Value Prior to 12.4(11)T/12.4(10) 12.4(11)T/12.4(10) and later
max-incomplete high value 500 Unlimited
max-incomplete low value 400 Unlimited
one-minute high value 500 Unlimited
one-minute low value 400 Unlimited
tcp max-incomplete host value 50 Unlimited
The counter for “ip inspect one-minute high” and “ip inspect one-minute low” maintains a sum of all TCP, UDP, and Internet Control Message Protocol (ICMP) connection attempts within the prior minute of the operation of the router, whether the connections have been successful or not. A rising connection rate can be indicative of a worm infection on a private network or an attempted DoS attack against a server.
max-incomplete tcp connections per host is 100000. Block-time 0 minute.
The DoS settings can be viewed with the exec command show ip inspect config, and the settings are included with the output of sh ip inspect all.
Follow this procedure to tune the DoS protection of your firewall to the activity of your network:
1, Be sure that your network is not infected with viruses or worms that can lead to erroneously large half-open connection values or attempted connection rates.
2, Set the max-incomplete high values to very high values:
ip inspect max-incomplete high 20000000
ip inspect one-minute high 100000000
ip inspect tcp max-incomplete host 100000 block-time 0
3,Clear the Cisco IOS Firewall statistics with this command: show ip inspect statistics reset
4, Leave the router configured in this state for some time, perhaps as long as 24 to 48 hours, so you can observe the network pattern over at least one full day of the typical network activity cycle.
5, After the observation period, check the DoS counters with this command: show ip inspect statistics
Maxever session counts (estab/half-open/terminating) [207:56:35]Configure ip inspect max-incomplete high to a value 25-percent higher than the indicated maxever session count half-open value of your router.
Maxever session creation rate 330
for example: Maxever session counts (estab/half-open/terminating) [207:56:35]
56 * 1.25 = 70
Configure: router(config)#ip inspect max-incomplete high 70
Configure ip inspect max-incomplete low to the value your router displayed for its maxever session count half-open value, for example: Maxever session counts (estab/half-open/terminating) [207:56:35] Configure: router(config)#ip inspect max-incomplete low 56
Maxever session counts (estab/half-open/terminating) [207:56:35]
(207 + 56 + 35) * 1.1 = 328
Configure: ip inspect one-minute low 328 If the router runs Cisco IOS Software Release 12.4(11)T or later, or 12.4(10) or later, you can simply apply the value shown in the “Maxever session creation rate” inspection statistic: Maxever session creation rate 330 Configure: ip inspect one-minute low 330
Calculate and configure ip inspect one-minute high. The ip inspect one-minute high value must be 25-percent greater than the calculated one-minute low value, for example: ip inspect one-minute low (330) * 1.25 = 413 Configure: ip inspect one-minute high 413
You need to define a value for ip inspect tcp max-incomplete host in accordance with your knowledge of the capability of your servers.
ip inspect max-incomplete high 500—This global command instructs IOS to start deleting the half-open sessions if the number of existing sessions is 500. The number of half-open sessions cannot exceed 500.
ip inspect max-incomplete low 400—This global command instructs IOS to stop deleting the half-open sessions if the number of existing half-open sessions is 400.
ip inspect one-minute high 500—This global command instructs IOS to start deleting the half-open sessions if the rate of half-open TCP sessions exceeds 500 sessions per minute.
ip inspect one-minute low 400—This global command instructs IOS to stop deleting the half-open sessions if the rate of half-open TCP session falls to 400 sessions per minute.
ip inspect tcp synwait-time 30—This global command defines the wait time before a half-open TCP session is dropped.
Protecting DoS Attacks
No comments:
Post a Comment