DoS attacks are based on the premise of utilizing the resources of
a device so extensively that other legitimate traffic is crowded out. For
example, when AAA is being used in a network for authentication, a common DoS
attack is to send many forged authentication requests to the PIX Security
Appliance, thus overwhelming AAA resources.
The
floodguard command enables the PIX Security Appliance to
reclaim resources if the user authentication, or uath, subsystem runs out of
resources. If an inbound or outbound uauth connection is being attacked or
overused, the PIX actively reclaims TCP resources. When the resources are
depleted, the PIX shows messages indicating that it is out of resources or out
of TCP users. If the PIX uauth subsystem is depleted, TCP user resources in
different states are reclaimed, depending on urgency, in the following
order:
- Timewait
- FinWait
- Embryonic
- Idle
The floodguard command is enabled by default.