Cisco IOS Firewall

Application Note

Cisco IOS® Stateful Packet Inspection maintains counters of the number of "half-open" TCP connections, as well as the total connection rate through the firewall and intrusion prevention software. These half-open connections are TCP connections that have not completed the SYN-SYN/ACK-ACK handshake that is always used by TCP peers to negotiate the parameters of their mutual connection. Cisco IOS Firewall also regards User Datagram Protocol (UDP) sessions with traffic in only one direction as "half-open", as nearly all applications that use UDP for transport will acknowledge reception of data. UDP sessions without acknowledgement are likely indicative of DoS activity, or attempts to connect between two hosts where one of the hosts has become unresponsive. Some malicious individuals write worms or viruses that infect multiple hosts on the Internet, then attempt to overwhelm specific Internet servers with a SYN attack, in which large numbers of SYN connections are sent to a server by multiple hosts on the public Internet or within an organization's private network. SYN attacks represent a hazard to Internet servers, as servers' connection tables can be loaded with "bogus" SYN connection attempts that arrive faster than the server can deal with the new connections. This is called a "Denial-of-Service (DoS) attack, as the large number of connections in the victim server's TCP connection list prevents legitimate users from gaining access to the victim Internet servers.

Step 1. Be sure your network is not infected with viruses or worms that could lead to erroneously large half-open connection values and attempted connection rates. If your network is not "clean", there is no way to properly adjust your firewall's DoS protection.

Step 2. Set the max-incomplete high values to very high values:

This will prevent the router from providing DoS protection while you observe your network's connection patterns. If you wish to leave DoS protection disabled, stop following this procedure now.

Step 3. Clear the Cisco IOS Firewall statistics, using the following command:

Step 4. Leave the router configured in this state for some time, perhaps as long as 24 to 48 hours, so you can observe the network's pattern over a full day's activity cycle.

Note: While the values are adjusted to very high levels, your network will not benefit from Cisco IOS Firewall or IPS DoS protection.

Step 5. After the observation period, check the DoS counters with the following command. The parameters you must observe to tune your DoS protection are highlighted in bold:

Step 6. Configure "ip inspect max-incomplete high" to a value 25-percent higher than your router's indicated maxever session count half-open value. A 1.25 multiplier offers 25-percent headroom above observed behavior.

For example:

Thus, configure:

Step 7. Configure "ip inspect max-incomplete low" to the value your router displayed for its maxever session count half-open value.

For example:

Thus, configure:

Step 8. The counter for "ip inspect one-minute high" and "one-minute low" maintains a sum of all TCP, UDP, and Internet Control Message Protocol (ICMP) connection attempts during the preceding minute of the router's operation, whether the connections have been successful or not. A rising connection rate could be indicative of a worm infection on a private network, or an attempted DoS attack against a server.

Cisco IOS Software does not maintain a value of the maxever one-minute connection rate, so you must calculate the value you will apply based on observed maxever values. While the maximum indicated values for established, half-open, and terminating sessions are unlikely to occur in the same instant, the calculated values used for the one-minute settings have been observed to be reasonably accurate. To calculate the ip inspect one-minute low value, add the indicated "established" value by three.

For example:

Thus, configure:

Step 9. Calculate and configure "ip inspect one-minute high". The ip inspect one-minute high value should be 25-percent greater than the calculated one-minute low value.

For example:

Thus, configure:

Step 10. You will need to define a value for "ip inspect tcp max-incomplete host" according to your understanding of your servers' capability.

Step 11. Monitor your network's DoS protection activity. Ideally, you should use a syslog server and record occurrences of DoS attack detection. If detection happens very frequently, you may need to monitor and adjust your DoS protection parameters.