An unusually high number of half-open sessions could indicate that
a DoS attack is occurring. For TCP, half-open means that three-way handshake
has not yet been completed, so the session has not reached the established
state. For UDP, half-open means that the firewall has detected no return
traffic.
CBAC measures both the total number of existing half-open sessions and the
rate of session establishment attempts. Both TCP and UDP half-open sessions are
counted in the total number and rate measurements. Measurements are made once a
minute.
When the number of existing half-open sessions rises above a
threshold, the max-incomplete high number, CBAC will
go in to aggressive mode and delete half-open sessions as required to
accommodate new connection requests. The software continues to delete half-open
requests as necessary, until the number of existing half-open sessions drops
below another threshold, the max-incomplete low
number.
Use the ip inspect max-incomplete
high command in global configuration mode to define the number of
existing half-open sessions that will cause CBAC to start deleting half-open
sessions
. Use the
no form of this command to reset the threshold to default.
The syntax for the ip inspect max-incomplete high command
is shown in Figure
.
Use the ip inspect max-incomplete low command in global
configuration mode to define the number of existing half-open sessions that
will cause CBAC to stop deleting half-open sessions. Use the
no form of this command to reset the threshold to default.
The syntax for the ip inspect max-incomplete low command is
shown in Figure
.
When the rate of new connection attempts rises above a threshold, the
one-minute high number, CBAC will delete half-open
sessions as required to accommodate new connection attempts. The software
continues to delete half-open sessions as necessary, until the rate of new
connection attempts drops below another threshold, the one-minute
low number. The rate thresholds are measured as the number of
new session connection attempts detected in the last one-minute sample period.
CBAC reviews the one-minute rate on an ongoing basis, meaning that CBAC reviews
the rate more frequently than one minute and does not keep deleting half-open
sessions for one-minute after a DoS attack has stopped. This means that CBAC
will stop deleting sessions sooner than one minute after the attack has
stopped.
Use the ip inspect one-minute high command
in global configuration mode to define the rate of new un-established sessions
that will cause the software to start deleting half-open sessions
. Use the
no form of this command to reset the threshold to default.
The syntax for the ip inspect one-minute high command is
shown in Figure
.
Use the ip inspect one-minute low command in global
configuration mode to define the rate of new un-established TCP sessions that
will cause the software to stop deleting half-open sessions. Use the
no form of this command to reset the threshold to the
default. The syntax for the ip inspect one-minute low
command is shown in Figure
.