Configure Cisco IOS Firewall Context-Based Access Control
Half-open connection limits by host

An unusually high number of half-open sessions with the same destination host address could indicate that a DoS attack is being launched against the host. Whenever the number of half-open sessions with the same destination host address rises above the threshold configured by the max-incomplete host number command, CBAC will delete half-open sessions according to one of the following methods:

If the block-time minutes timeout is 0, the default value, CBAC deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold.

If the block-time minutes timeout is greater than 0, CBAC deletes all existing half-open sessions for the host, and then blocks all new connection requests to the host. CBAC will continue to block all new connection requests until the block time expires.

CBAC also sends Syslog messages whenever the max-incomplete host number is exceeded, and when blocking of connection initiations to a host starts or ends.

The global values specified for the threshold and blocking time apply to all TCP connections inspected by CBAC.

Use the ip inspect tcp max-incomplete host global configuration command to specify threshold and blocking time values for TCP host-specific DoS detection and prevention . Use the no form of this command to reset the threshold and blocking time to the default values. The syntax for the ip inspect tcp max-incomplete host command is shown in Figure .


Lab Activity

e-Lab Activity: Half-Open Connection Limits

In this activity, students will configure the number of existing half-open sessions that will cause the software to start deleting half-open sessions.