From: Joseph Brunner (joe@affirmedsystems.com)
Date: Sat Aug 30 2008 - 14:10:55 ART
Perhaps the best CBAC question I have ever seen Ahsan! Thank you.
Below is an excerpt from my CCNP workbook-
Note: (The serial interfaces lead to the internet). The CBAC policy is
APPLIED INBOUND on the public interface; this causes the CBAC server DOS
protect policy to monitor connections made FROM the untrusted network and
enforce limits (clamping) when traffic is headed towards the PROTECTED
server farm.
-Joe
NYCORPHQ1 & NYCORPHQ2
ip inspect log drop-pkt
ip inspect max-incomplete low 200
ip inspect max-incomplete high 600
ip inspect one-minute low 100
ip inspect one-minute high 300
ip inspect tcp synwait-time 10
ip inspect tcp max-incomplete host 75 block-time 10
ip inspect name denialprotect http
ip inspect name denialprotect https
logging 10.254.0.19
NYCORPHQ1
interface serial0/0
ip inspect denialprotect in
NYCORPHQ2
interface serial1/0
ip inspect denialprotect in
Verification;
NYCORPHQ1#show ip inspect all
Dropped packet logging is enabled
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [100 : 300] connections
max-incomplete sessions thresholds are [200 : 600]
max-incomplete tcp connections per host is 75. Block-time 10 minutes.
tcp synwait-time is 10 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name denialprotect
http alert is on audit-trail is off timeout 3600
https alert is on audit-trail is off timeout 3600
Interface Configuration
Interface Serial0/0
Inbound inspection rule is denialprotect
http alert is on audit-trail is off timeout 3600
https alert is on audit-trail is off timeout 3600
Outgoing inspection rule is not set
Inbound access list is not set
Outgoing access list is not set
Note: Using CBAC/IOS Firewall to block denial of service attacks
Content based application control uses connection clamping to limit the
number of half-open tcp connections allowed globally, within one-minute and
on a per host basis. Half-open connections exceeded the configured limits
are dropped, until the number of half-open connection falls below the low
water mark (threshold). On a per-host basis, a block-time is optionally
configured to prevent new half-opens sessions for length of time specified.
Additionally, TCP SYN packets can be monitored to ensure they reach the
established state within a certain interval, or the session will be dropped
by the IOS firewall.
To log packets dropped by the firewall, the command "ip inspect log
drop-pkt" may be configured.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ahsan Mohiuddin
Sent: Saturday, August 30, 2008 10:07 AM
To: Cisco certification
Subject: CBAC: how does "ip inspect max-incomplete" come into play?
Hello Group,
I don't understand how CBAC commands such as "ip inspect max-incomplete" and
"ip inspect tcp max-incomplete host" etc come into effect. My understanding
is that when you apply CBAC to an interface, connections can only be
initiated from within the protected network, and dynamic openings are
created for return traffic to be allowed back in.
So, how do we get to have any "half-open" sessions at all? I mean if a DOS
attack is underway, we would expect half-open (SYN-only) TCP packets piling
up on one of the servers (on the inside). But since we aren't even allowing
any new connections to be made from the outside, how does a DOS attack ever
take place? So whats the use of the "ip inspect max-incomplete" ?
Its getting confusing. This is my first time with CBAC :(
~Ahsan
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:33 ART