Configure Cisco IOS Firewall Context-Based Access Control
Set global thresholds

An unusually high number of half-open sessions could indicate that a DoS attack is occurring. For TCP, half-open means that three-way handshake has not yet been completed, so the session has not reached the established state. For UDP, half-open means that the firewall has detected no return traffic.

CBAC measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.

When the number of existing half-open sessions rises above a threshold, the max-incomplete high number, CBAC will go in to aggressive mode and delete half-open sessions as required to accommodate new connection requests. The software continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold, the max-incomplete low number.

Use the ip inspect max-incomplete high command in global configuration mode to define the number of existing half-open sessions that will cause CBAC to start deleting half-open sessions . Use the no form of this command to reset the threshold to default. The syntax for the ip inspect max-incomplete high command is shown in Figure .

Use the ip inspect max-incomplete low command in global configuration mode to define the number of existing half-open sessions that will cause CBAC to stop deleting half-open sessions. Use the no form of this command to reset the threshold to default. The syntax for the ip inspect max-incomplete low command is shown in Figure .

When the rate of new connection attempts rises above a threshold, the one-minute high number, CBAC will delete half-open sessions as required to accommodate new connection attempts. The software continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold, the one-minute low number. The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. CBAC reviews the one-minute rate on an ongoing basis, meaning that CBAC reviews the rate more frequently than one minute and does not keep deleting half-open sessions for one-minute after a DoS attack has stopped. This means that CBAC will stop deleting sessions sooner than one minute after the attack has stopped.

Use the ip inspect one-minute high command in global configuration mode to define the rate of new un-established sessions that will cause the software to start deleting half-open sessions . Use the no form of this command to reset the threshold to default. The syntax for the ip inspect one-minute high command is shown in Figure .

Use the ip inspect one-minute low command in global configuration mode to define the rate of new un-established TCP sessions that will cause the software to stop deleting half-open sessions. Use the no form of this command to reset the threshold to the default. The syntax for the ip inspect one-minute low command is shown in Figure .