Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
0
Helpful
2
Replies

CBAC: how to block infected host?

ovt
Level 4
Level 4

‎09-17-2007 02:26 AM - edited ‎03-11-2019 04:12 AM

Hi!

Is it possible to block a host infected by a worm and generating lots of TCP SYNs using IOS Firewall and/or other IOS features?

IPS appliance is not an option in our net. We have just IOS router - nothing else.

Unfortunately

ip inspect tcp max-incomplete host N block-time minutes

blocks DestinationIP, not the SourceIP.

Is it possible to use IOS IPS and Sig 3050 with "deny-attacker-inline" to achieve our goal?

Any ideas?

Labels:
0 Helpful
2 Replies 2

ovt
Level 4
Level 4
In response to a.alekseev

‎09-17-2007 05:22 AM

The same is acceptable for IOS IPS? Not sure. Most of the IOS IPS functionality is not production-ready. Simply put, it doesn't work at all. You cannot even edit signature parameters in post-12.4(11)T (IPS5) releases, because SDM is broken. IOS IPS still lacks many important micro-engines. It is vulnerable to simple evasion attacks. And it doesn't work with IEV due to an unknown bug.

Did _you_ test Sig 3050 in IOS IPS?

In my understanding, IOS Firewall CBAC code itself should have functionality to block a host initiating to many TCP sessions (or too many half-open TCP sessions). (BTW Sig 3050 _is_ based on the CBAC code). And I don't understand why is this not implemented by cisco.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card