Embryonic (Half-Open) Sessions
CBAC provides DoS apprehension and prevention. An boundless cardinal of half-open sessions (either complete or
measured as the accession rate) could announce the accessible accident of a denial-of-service attack. Traffic
patterns can be accustomed for a TCP SYN-flood blazon attack. TCP is a connection-oriented carriage protocol
that requires commutual a three-way handshake mechanism. Abridged (half-open) access beggarly that the
session has not completed the TCP three-way handshake; hence, the affair is not established. Because UDP is
a connectionless protocol, there is no handshake mechanism; abridged sessions (half-open) in UDP context
indicate that the firewall has detected no acknowledgment traffic.
CBAC monitors the absolute cardinal of half-open access and the amount of affair enactment attempts for
both TCP and UDP half-open connections. CBAC monitors these ethics several times per minute. Adjusting
threshold ethics for arrangement access helps anticipate DoS attacks by authoritative the cardinal of half-open
sessions, thereby absolution up arrangement assets active by half-open sessions.
Example 5-3 shows a CBAC affair table with few half-open (incomplete) TCP connections.
Example 5-3. Sample Half-Open Connections
Router# appearance ip audit session
Half-open Sessions
Session 63938D28 (10.1.1.2:11000)=>(20.1.1.2:23) tcp SIS_OPENING
Session 63938EB8 (10.1.1.2:11001)=>(20.1.1.2:25) tcp SIS_OPENING
Session 639C2343 (10.1.1.20:11012)=>(20.0.0.20:23) tcp SIS_OPENING
Session 63976A22 (10.1.1.20:11013)=>(20.0.0.20:80) tcp SIS_OPENING
When the cardinal of half-open access exceeds the defined beginning (using the ip audit maxincomplete
high or ip audit one-minute aerial number), CBAC will annul consecutive half-open sessions as
required to board new admission connections. CBAC continues to annul the half-open connection
requests as appropriate until the cardinal of absolute half-open sessions drops beneath addition defined threshold
(using the ip audit max-incomplete low or ip audit one-minute low number). See Table 5-1 for more
details on these commands and beginning values.
Table 5-1. Global Timeout and Beginning Values
Timeout or Beginning Ethics Command Default
The breadth of time the software waits for a
TCP affair to ability the accustomed state
before bottomward the session
ip audit tcp synwaittime
seconds
30 seconds
The breadth of time a TCP affair will still
be managed afterwards the firewall detects a
FIN-exchange
ip audit tcp finwait-time
seconds
5 seconds
The breadth of time a TCP affair will still
be managed afterwards no action (the TCP idle
timeout)
ip audit tcp idle-time
seconds
3600 abnormal (1
hour)
The breadth of time a UDP affair will still
be managed afterwards no action (the UDP idle
timeout)
ip audit udp idle-time
seconds
30 seconds
The breadth of time a DNS name lookup
session will still be managed afterwards no
activity
ip audit dns-timeout
seconds
5 seconds
The cardinal of absolute half-open sessions
that will account the software to start
deleting half-open sessions
ip audit max-incomplete
high number
500 absolute halfopen
sessions
The cardinal of absolute half-open sessions
that will account the software to stop
deleting half-open sessions
ip audit max-incomplete
low number
400 absolute halfopen
sessions
The amount of new unestablished sessions in
1-minute intervals that will account the
software to alpha deleting half-open
sessions
ip audit one-minute high
number
500 half-open
sessions per minute
Timeout or Beginning Ethics Command Default
The amount of new unestablished sessions in
1-minute intervals that will account the
software to stop deleting half-open
sessions
ip audit one-minute low
number
400 half-open
sessions per minute
The cardinal of absolute half-open TCP
sessions with the aforementioned destination host
address that will account the software to
start bottomward half-open sessions to the
same destination host address
ip audit tcp maxincomplete
host number
block-time minutes
50 absolute halfopen
TCP sessions;
0 minutes
The advice in Table 5-1 is taken from "Configuring Context-Based Access Control" at
http://www.cisco.com/en/US/docs/ios/12_0/security/configuration/guide/sccbac.html#wp4154.