IOS DoS defense causes DoS to itself:)

IOS DoS defense causes DoS to itself:)

Post by » Sun, 14 May 2006 03:18:09


Can I somehow skip IOS fw maximum tcp half-open "sessions" control (DoS
countermeasure) for certain amounts of traffic (matched by ACL)? I saw
several times (including today) that internal hosts (mostly infected by
virus) reaches upper threshold defined for half-opened connections and then
router run into trouble with forwarding other legal traffic. If you then
just remove ip inspect rule from interface then, for example web browsing
performance comes to normal. So, it would be nice if I could only log
excessive number of half-opened connections instead of terminating it.

Of course, Cisco TAC suggests that you block unnecessary outbound
connections to keep half-opened conn. rate below upper threshold, but
sometimes it's not acceptable - you don't want to block any traffic if you
are not sure that this is a virus and this is my situation in which my
routers are used in small ISP, so it's "unethically" to block customer
traffic:)

B.R.
Igor
 
 
 

IOS DoS defense causes DoS to itself:)

Post by tippenrin » Tue, 16 May 2006 00:22:30

You can adjust the max value for half-open sessions, and most other ip
inspect values.

On a side note: If your policy is not to block traffic, then why use ip
inspect on your customer traffic at all?

 
 
 

IOS DoS defense causes DoS to itself:)

Post by Igor Mamuz » Sun, 21 May 2006 08:59:48

If you go with tuning (as I do) then you have to make these ip inspect
values very high, but it would be nice if you could set up different values
for a different types of traffic selected by acl or route-map.

I need ip inspect since my customers are using the same interfaces as I do
and this IOS firewall protects my internal network.

B.R.
Igor