Global Parameters

CBAC has a number of global parameters that help manage the session table and also help mitigate DoS attacks. Cisco has configured the global parameters with default values that you can tweak to comply with your organization's own particular network requirements and network security policy.

TCP SYN and TCP FIN Wait Times

As you are aware, TCP is a connection-oriented protocol and relies on a three-way handshake to establish a connection. The three packets that are exchanged with the three-way handshake are a SYN packet, a SYN-ACK packet, and an ACK packet. (Note that SYN, SYN-ACK, ACK, and FIN are actually flags within the TCP packet header. For simplicity, we refer to them as packets and not flags.)

DoS attacks commonly use SYN packets, and CBAC tracks the flow of SYN packets to mitigate a DoS attack. By default, CBAC waits 30 seconds for a TCP session to reach the established state. The established state is the successful completion of a three-way handshake. If 30 seconds elapse before the TCP session reaches the established state, CBAC drops the session.

To change the default time that CBAC waits for a TCP connection to reach the established state, use the following command:

 Router(config)# ip inspect tcp synwait-time  seconds  

An example that changes the SYN wait time to 25 seconds is shown in Figure 4.2.

By default, the SYN wait time is 30 seconds for a TCP session to reach the established state.

TCP uses another type of packet, a FIN packet, to gracefully close an established session. Because CBAC inspection uses memory in the creation of the state table, it is a good idea to reclaim resources after a certain amount of time elapses. By default, CBAC waits 5 seconds before deleting TCP state table information when it, CBAC, detects the FIN packet.

To change the default time that CBAC waits before deleting a state table entry after a FIN packet is detected , use the following command:

 Router(config)# ip inspect tcp finwait-time  seconds  

An example that changes the FIN wait time to 1 second is shown in Figure 4.3.

By default, the FIN wait time is 5 seconds.

TCP, UDP, and DNS Idle Times

If an IP session is idle, the router continues to maintain the session information in the state table, thus tying up router resources. Idle sessions can also potentially be a security concern because of session hijacking attacks.

Cisco has established global parameters for Domain Name System (DNS), TCP, and UDP idle times.

To change the default time that CBAC manages a session before deleting a state table entry after a specific length of inactivity, use the following commands:

 Router(config)# ip inspect dns-timeout seconds Router(config)# ip inspect tcp idle-time seconds Router(config)# ip inspect udp idle-time  seconds  

An example that changes the DNS idle time to 1 second is

 Router(config)# ip inspect dns-timeout 1 

An example that changes the TCP idle time to 10 seconds is

 Router(config)# ip inspect tcp idle-time 10 

An example that changes the UDP idle time to 3 seconds is

 Router(config)# ip inspect udp idle-time 3 

Figure 4.4 displays the configuration of the TCP and UDP idle timers and the DNS idle time.

By default, the DNS idle timeout is 5 seconds.

By default, the TCP idle timeout is 3,600 seconds (1 hour ).

By default, the UDP idle timeout is 30 seconds.

Half- Open Connection Limits

To protect against DoS attacks, CBAC monitors the number of half-open (embryonic) sessions. CBAC monitors based on two numbers , the total number of half-open sessions and the rate at which half-open sessions are created.

You use four commands to measure half-open sessions. The first set of commands deals with the total number of half-open sessions based on a measurement rate. The second set of commands deals with the rate at which half-open sessions are created while still taking into account the total number of half-open sessions. So, in reality, all four commands measure totals and rates of establishment.

The commands that configure the total number of half-open sessions are ip inspect max-incomplete high number and ip inspect max-incomplete low number . Even though these commands concern a cumulative value, the router must take measurements to determine whether the high threshold and the low threshold are reached.

The router takes measurements once per minute for the max-incomplete high and the max-incomplete low thresholds.

When the max-incomplete high threshold is exceeded, the router goes into aggressive mode. In aggressive mode, CBAC deletes half-open sessions as required to accommodate new connections that are requested . CBAC deletes half-open sessions beginning with the oldest session first. CBAC continues the deletion process until the max-incomplete low threshold is reached, and then CBAC stops deleting half-open sessions until the number again rises above the max-incomplete high threshold.

The default ip inspect max-incomplete high threshold is 500 half-open sessions.

The default ip inspect max-incomplete low threshold is 400 half-open sessions.

CBAC goes into aggressive mode when the number of half-open sessions exceeds the ip inspect max-incomplete high threshold.

The commands to tweak the ip inspect max-incomplete high threshold and the ip inspect max-incomplete low threshold are

 Router(config)# ip inspect max-incomplete high  number  Router(config)# ip inspect max-incomplete low  number  

For example, to change the maximum number of half-open sessions to 1,000 before CBAC goes into aggressive mode, use the command shown in Figure 4.5.

To change the minimum number of half-open sessions to 600, at which point CBAC discontinues aggressive mode, use the command shown in Figure 4.6.

The second set of commands deals with the rate at which half-open sessions are created. As with the max-incomplete commands, CBAC deletes half-open connections to accommodate new connections when a high threshold is exceeded.

The commands that deal with the rate of half-open session establishment are ip inspect one-minute high and ip inspect one-minute low . As you might expect, because these commands concern the rate of session establishment, the router must take measurements to determine whether the thresholds are broached.

With the ip inspect one-minute command, the router measures the rate of session establishment in a rolling 1-minute sampling period.

Do not get confused . The router measures the ip inspect one-minute threshold more frequently than once per minute, contrary to the command's name. Strange, but true. The ip inspect max-incomplete uses a 1-minute sampling period!

The sampling period for the ip inspect one-minute command means that the router does not continue to delete half-open sessions for a full 1 minute period after the ip inspect one-minute high threshold is reached. Because the sampling period is actually less than 1 minute, and measured more frequently than once a minute, the router will not continue to delete half-open sessions for a full 1-minute period.

The default ip inspect one-minute high threshold is 500 half-open sessions.

The default ip inspect one-minute low threshold is 400 half-open sessions.

The commands to tweak the ip inspect one-minute high threshold and the ip inspect one-minute low threshold are

 Router(config)# ip inspect one-minute high  number  Router(config)# ip inspect one-minute low  number  

For example, to change the maximum number of half-open sessions to 350 before CBAC goes into aggressive mode, use the following command:

 Router(config)# ip inspect one-minute high 350 

To change the minimum number of half-open sessions to 225, at which point CBAC discontinues aggressive mode, use the following command:

 Router(config)# ip inspect one-minute low 225 

Half-Open Connection Limits by Host

The previous four commands measured the embryonic (half-open connections) connections to all hosts simultaneously . However, wouldn't it also be important to measure the embryonic rate to individual hosts as well? You know the answer to that question, and it is a resounding yes!

The command to measure the embryonic connection rate to single hosts is

 Router(config)# ip inspect tcp max-incomplete host  number  block-time  seconds  

That's it; there is just a single command to track the embryonic-connection rate for packets to the same destination IP address. Like the previous Cisco commands, this command has default settings.

The default ip inspect tcp max-incomplete host number threshold is 50 half-open sessions.

The block-time value is an interesting setting and deserves your attention. It is the block-time value that the IOS uses to determine how half-open sessions are deleted. If you leave the block-time value at its default of 0 seconds, the IOS simply deletes the oldest half-open connection first if there is another connection attempt to the same host. This process ensures that the total number of embryonic connections for the same host does not exceed the host threshold that is configured with the host keyword with the ip inspect tcp max-incomplete host command.

The default block-time value is 0 (zero) seconds.

If you configure a value greater than 0 seconds for the block-time , the IOS deletes all embryonic connections to that specific host. Further, the IOS blocks all further connection attempts to that same host for the number of seconds that you configured with the block-time keyword. If you specified 10 seconds, and the threshold was exceeded, no user , legitimate or otherwise , can connect to host for 10 seconds.

This description should make you think DoS! You should definitely exercise due care if you configure a block-time that is greater than 0 because you might be creating your own DoS attacks.

Configuring a default block-time value greater than the default value of 0 (zero) seconds can cause a DoS attack against yourself.

Let us look at an example to specify that only 200 embryonic connections be allowed to a single host, and if that threshold is exceeded, block all further connections attempts for 1 second.

The configuration for this requirement is

 Router(config)# ip inspect tcp max-incomplete host 200 block-time 1