DoS Attacks Prevention with CBAC

September 8, 2008 at 11:16 am | Posted in Security | Leave a comment

R4#sh run
ip inspect max-incomplete high 1200
ip inspect max-incomplete low 1000
ip inspect one-minute low 100
ip inspect one-minute high 300
ip inspect tcp max-incomplete host 50 block-time 5
ip inspect name DOS_MITIGATION tcp
interface Ethernet0/0
ip inspect DOS_MITIGATION out


R4#sh ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [100:300] connections
max-incomplete sessions thresholds are [1000:1200]
max-incomplete tcp connections per host is 50. Block-time 5 minutes.
tcp synwait-time is 30 sec — tcp finwait-time is 5 sec
tcp idle-time is 3600 sec — udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name DOS_MITIGATION
tcp alert is on audit-trail is off timeout 3600

Interface Configuration
Interface Ethernet0/0
Inbound inspection rule is not set
Outgoing inspection rule is DOS_MITIGATION
tcp alert is on audit-trail is off timeout 3600
Inbound access list is not set
Outgoing access list is not set

Established Sessions
Session 6555F098 (>( tcp SIS_OPEN

! Try generating TCp traffic from outside
Trying … Open

R4#debug ip inspect tcp
INSPECT TCP Inspection debugging is on
R4#debug ip inspect events
INSPECT special events debugging is on
R5#debug ip tcp transactions
TCP special event debugging is on

Trying …
*Apr  7 02:37:15.439: TCP: Random local port generated 19679
*Apr  7 02:37:15.443: TCB64ECDAF0 created
*Apr  7 02:37:15.443: TCB64ECDAF0 setting property TCP_TOS (11) 658277D8
*Apr  7 02:37:15.443: TCB64ECDAF0 bound to UNKNOWN.19679
*Apr  7 02:37:15.443: TCP: sending SYN, seq 3882602081, ack 0
*Apr  7 02:37:15.443: TCP0: Connection to, advertising MSS 536
*Apr  7 02:37:15.447: TCP0: state was CLOSED -> SYNSENT [19679 ->]
*Apr  7 02:37:17.443: <—>   congestion window changes
*Apr  7 02:37:17.443: cwnd from 536 to 536, ssthresh from 65535 to 1072
*Apr  7 02:37:17.443: TCP0: timeout #1 – timeout is 3000 ms, seq 3882602081
% Connection timed out; remote host not responding
*Apr  7 02:37:20.443: TCP0: state was SYNSENT -> CLOSED [19679 ->]
*Apr  7 02:37:20.443: TCB 0x64ECDAF0 destroyed

*Apr  7 11:53:54.727: CBAC sis 6555F098 pak 65322FBC SIS_CLOSED/LISTEN TCP SYN SEQ 3882602081 LEN 0 ( => (
*Apr  7 11:53:56.723: CBAC sis 6555F098 pak 64E422BC SIS_OPENING/SYNSENT TCP SYN SEQ 3882602081 LEN 0 ( => (
*Apr  7 11:53:56.723: CBAC sis 6555F098 L4 inspect result: SKIP packet 64E422BC ( ( bytes 0 ErrStr = Retransmitted Segment tcp
*Apr  7 11:54:24.727: CBAC sent a TCP pkt ( tcp flag:0x4 -> seq 0 ack 0 wnd 4128
*Apr  7 11:54:24.727: CBAC sent a TCP pkt ( tcp flag:0x4 -> seq 3882602082 ack 0 wnd 0

DOC CD Navigation

You can configure TCP and UDP inspection to permit TCP and UDP packets to enter the internal network through the firewall, even if the application-layer protocol is not configured to be inspected. However, TCP and UDP inspection do not recognize application-specific commands, and therefore might not permit all return packets for an application, particularly if the return packets have a different port number than the previous exiting packet.

Any application-layer protocol that is inspected will take precedence over the TCP or UDP packet inspection. For example, if inspection is configured for FTP, all control channel information will be recorded in the state table, and all FTP traffic will be permitted back through the firewall if the control channel information is valid for the state of the FTP session. The fact that TCP inspection is configured is irrelevant to the FTP state information.

With TCP and UDP inspection, packets entering the network must exactly match the corresponding packet that previously exited the network. The entering packets must have the same source/destination addresses and source/destination port numbers as the exiting packet (but reversed); otherwise, the entering packets will be blocked at the interface. Also, all TCP packets with a sequence number outside of the window are dropped.


Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Create a free website or blog at
Entries and comments feeds.

%d bloggers like this: