An unusually high number of half-open sessions with the same destination
host address could indicate that a DoS attack is being launched against the
host. Whenever the number of half-open sessions with the same destination host
address rises above the threshold configured by the max-incomplete
host number command, CBAC will delete half-open sessions
according to one of the following methods:
If the
block-time minutes timeout is 0, the default value,
CBAC deletes the oldest existing half-open session for the host for every new
connection request to the host. This ensures that the number of half-open
sessions to a given host will never exceed the threshold.
If the
block-time minutes timeout is greater than 0, CBAC
deletes all existing half-open sessions for the host, and then blocks all new
connection requests to the host. CBAC will continue to block all new connection
requests until the block time expires.
CBAC also sends Syslog messages
whenever the max-incomplete host number is exceeded,
and when blocking of connection initiations to a host starts or ends.
The
global values specified for the threshold and blocking time apply to all TCP
connections inspected by CBAC.
Use the ip inspect tcp
max-incomplete host global configuration command to specify
threshold and blocking time values for TCP host-specific DoS detection and
prevention
. Use the
no form of this command to reset the threshold and blocking
time to the default values. The syntax for the ip inspect tcp
max-incomplete host command is shown in Figure
.