CBAC has a number of global parameters that help manage the session table and also help mitigate DoS attacks. Cisco has configured the global parameters with default values that you can tweak to comply with your organization's own particular network requirements and network security policy. TCP SYN and TCP FIN Wait TimesAs you are aware, TCP is a connection-oriented protocol and relies on a three-way handshake to establish a connection. The three packets that are exchanged with the three-way handshake are a SYN packet, a SYN-ACK packet, and an ACK packet. (Note that SYN, SYN-ACK, ACK, and FIN are actually flags within the TCP packet header. For simplicity, we refer to them as packets and not flags.) DoS attacks commonly use SYN packets, and CBAC tracks the flow of SYN packets to mitigate a DoS attack. By default, CBAC waits 30 seconds for a TCP session to reach the established state. The established state is the successful completion of a three-way handshake. If 30 seconds elapse before the TCP session reaches the established state, CBAC drops the session. To change the default time that CBAC waits for a TCP connection to reach the established state, use the following command: Router(config)# ip inspect tcp synwait-time seconds An example that changes the SYN wait time to 25 seconds is shown in Figure 4.2. Figure 4.2. TCP SYN wait time.
TCP uses another type of packet, a FIN packet, to gracefully close an established session. Because CBAC inspection uses memory in the creation of the state table, it is a good idea to reclaim resources after a certain amount of time elapses. By default, CBAC waits 5 seconds before deleting TCP state table information when it, CBAC, detects the FIN packet. To change the default time that CBAC waits before deleting a state table entry after a FIN packet is detected , use the following command: Router(config)# ip inspect tcp finwait-time seconds An example that changes the FIN wait time to 1 second is shown in Figure 4.3. Figure 4.3. TCP FIN wait time.
TCP, UDP, and DNS Idle TimesIf an IP session is idle, the router continues to maintain the session information in the state table, thus tying up router resources. Idle sessions can also potentially be a security concern because of session hijacking attacks. Cisco has established global parameters for Domain Name System (DNS), TCP, and UDP idle times. To change the default time that CBAC manages a session before deleting a state table entry after a specific length of inactivity, use the following commands: Router(config)# ip inspect dns-timeout seconds Router(config)# ip inspect tcp idle-time seconds Router(config)# ip inspect udp idle-time seconds An example that changes the DNS idle time to 1 second is Router(config)# ip inspect dns-timeout 1 An example that changes the TCP idle time to 10 seconds is Router(config)# ip inspect tcp idle-time 10 An example that changes the UDP idle time to 3 seconds is Router(config)# ip inspect udp idle-time 3 Figure 4.4 displays the configuration of the TCP and UDP idle timers and the DNS idle time. Figure 4.4. TCP, UDP, and DNS idle timers.
Half- Open Connection LimitsTo protect against DoS attacks, CBAC monitors the number of half-open (embryonic) sessions. CBAC monitors based on two numbers , the total number of half-open sessions and the rate at which half-open sessions are created. You use four commands to measure half-open sessions. The first set of commands deals with the total number of half-open sessions based on a measurement rate. The second set of commands deals with the rate at which half-open sessions are created while still taking into account the total number of half-open sessions. So, in reality, all four commands measure totals and rates of establishment. The commands that configure the total number of half-open sessions are ip inspect max-incomplete high number and ip inspect max-incomplete low number . Even though these commands concern a cumulative value, the router must take measurements to determine whether the high threshold and the low threshold are reached.
When the max-incomplete high threshold is exceeded, the router goes into aggressive mode. In aggressive mode, CBAC deletes half-open sessions as required to accommodate new connections that are requested . CBAC deletes half-open sessions beginning with the oldest session first. CBAC continues the deletion process until the max-incomplete low threshold is reached, and then CBAC stops deleting half-open sessions until the number again rises above the max-incomplete high threshold.
The commands to tweak the ip inspect max-incomplete high threshold and the ip inspect max-incomplete low threshold are Router(config)# ip inspect max-incomplete high number Router(config)# ip inspect max-incomplete low number For example, to change the maximum number of half-open sessions to 1,000 before CBAC goes into aggressive mode, use the command shown in Figure 4.5. Figure 4.5. ip inspect max-incomplete high command.
To change the minimum number of half-open sessions to 600, at which point CBAC discontinues aggressive mode, use the command shown in Figure 4.6. Figure 4.6. ip inspect max-incomplete low command.
The second set of commands deals with the rate at which half-open sessions are created. As with the max-incomplete commands, CBAC deletes half-open connections to accommodate new connections when a high threshold is exceeded. The commands that deal with the rate of half-open session establishment are ip inspect one-minute high and ip inspect one-minute low . As you might expect, because these commands concern the rate of session establishment, the router must take measurements to determine whether the thresholds are broached. With the ip inspect one-minute command, the router measures the rate of session establishment in a rolling 1-minute sampling period.
The sampling period for the ip inspect one-minute command means that the router does not continue to delete half-open sessions for a full 1 minute period after the ip inspect one-minute high threshold is reached. Because the sampling period is actually less than 1 minute, and measured more frequently than once a minute, the router will not continue to delete half-open sessions for a full 1-minute period.
The commands to tweak the ip inspect one-minute high threshold and the ip inspect one-minute low threshold are Router(config)# ip inspect one-minute high number Router(config)# ip inspect one-minute low number For example, to change the maximum number of half-open sessions to 350 before CBAC goes into aggressive mode, use the following command: Router(config)# ip inspect one-minute high 350 To change the minimum number of half-open sessions to 225, at which point CBAC discontinues aggressive mode, use the following command: Router(config)# ip inspect one-minute low 225 Half-Open Connection Limits by HostThe previous four commands measured the embryonic (half-open connections) connections to all hosts simultaneously . However, wouldn't it also be important to measure the embryonic rate to individual hosts as well? You know the answer to that question, and it is a resounding yes! The command to measure the embryonic connection rate to single hosts is Router(config)# ip inspect tcp max-incomplete host number block-time seconds That's it; there is just a single command to track the embryonic-connection rate for packets to the same destination IP address. Like the previous Cisco commands, this command has default settings.
The block-time value is an interesting setting and deserves your attention. It is the block-time value that the IOS uses to determine how half-open sessions are deleted. If you leave the block-time value at its default of 0 seconds, the IOS simply deletes the oldest half-open connection first if there is another connection attempt to the same host. This process ensures that the total number of embryonic connections for the same host does not exceed the host threshold that is configured with the host keyword with the ip inspect tcp max-incomplete host command.
If you configure a value greater than 0 seconds for the block-time , the IOS deletes all embryonic connections to that specific host. Further, the IOS blocks all further connection attempts to that same host for the number of seconds that you configured with the block-time keyword. If you specified 10 seconds, and the threshold was exceeded, no user , legitimate or otherwise , can connect to host for 10 seconds. This description should make you think DoS! You should definitely exercise due care if you configure a block-time that is greater than 0 because you might be creating your own DoS attacks.
Let us look at an example to specify that only 200 embryonic connections be allowed to a single host, and if that threshold is exceeded, block all further connections attempts for 1 second. The configuration for this requirement is Router(config)# ip inspect tcp max-incomplete host 200 block-time 1 |