|
CBAC uses timeouts and thresholds to determine how long to manage
state information for a session, and to determine when to drop
sessions that do not become fully established. These timeouts and
thresholds apply globally to all sessions. You can use the default
timeout and threshold values, or you can change to values more
suitable to your security requirements. You should make any changes
to the timeout and threshold values before you continue configuring
CBAC.
Note: If you want to enable the more aggressive TCP
host-specific DoS prevention that includes the blocking of
connection initiation to a host, you must set the
block-time
specified in the
ip inspect tcp max-incomplete host
command
(see the last row in the main figure).
All the available CBAC timeouts and thresholds are listed in the
main figure along with the
corresponding command and default value. To change a global timeout
or threshold listed in the "Timeout or Threshold Value to
Change" column, use the global configuration command in the
"Command" column:
The global TCP and UDP idle
timeouts can be overridden for specified application-layer protocol
sessions. Whenever
the
max-incomplete host
threshold is exceeded, the software
will drop half-open sessions differently, depending on whether the
block-time
timeout is zero or a positive nonzero number. If the
block-time
timeout is zero, the software will delete the oldest existing
half-open session for the host for every new connection request to
the host and will let the SYN packet through. If the
block-time
timeout is greater than zero, the software will delete all existing
half-open sessions for the host, and then block all new connection
requests to the host. The software will continue to block all new
connection requests until the
block-time
expires.
To reset any threshold or timeout to the default value, use the
no
form of the command in the Figure.
Half-Open Sessions
An unusually high number of half-open sessions (either absolute
or measured as the arrival rate) could indicate that a DoS attack is
occurring. For TCP, "half-open" means that the session has
not reached the established state—the TCP three-way handshake has
not yet been completed. For UDP, "half-open" means that
the firewall has detected no return traffic.
CBAC measures both the total number of existing half-open
sessions and the rate of session establishment attempts. Both TCP
and UDP half-open sessions are counted in the total number and rate
measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a
threshold (the
max-incomplete high
number), the software will
delete half-open sessions as required to accommodate new connection
requests. The software will continue to delete half-open requests as
necessary, until the number of existing half-open sessions drops
below another threshold (the
max-incomplete low
number).
When the rate of new connection attempts rises above a threshold
(the
one-minute high
number), the software will delete
half-open sessions as required to accommodate new connection
attempts. The software will continue to delete half-open sessions as
necessary, until the rate of new connection attempts drops below
another threshold (the
one-minute low
number). The rate
thresholds are measured as the number of new session connection
attempts detected in the last one-minute sample period. The firewall
router reviews the "one-minute" rate on an ongoing basis,
meaning that the router reviews the rate more frequently than one
minute and does not keep deleting half-open sessions for one-minute
after a DoS attack has stopped --- it will be less time.
|