Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
247
Views
0
Helpful
1
Replies

DOS Causing NAT Problems

tsadmin
Level 1
Level 1

‎02-09-2004 04:42 PM - edited ‎03-02-2019 01:28 PM

Hello;

We currently are operating a campus network with two 75XX routers serving approx. 1000 users. These routers are running HSRP and Stateful NAT to allow internal users access to the Internet.

ACL's are applied inbound to prevent ICMP and other MS exploits from bringing down the network in the event of a SLAMMER or BLASTER/NACHI attack using ICMP or TCP 135-139/445.

However, several nasty worms attempt DOS attacks by using plain old port 80 to overload their targets (usually MS). This results in 10's of thousands of NAT sessions being opened on the router, eventually resulting in a router crash due to memory fragmentation.

As a solution, I would like to limit the amount of NAT sessions a given subnet/subinterface may be permitted to open so that if a worm gets launched, the subnet would simply become maxxed-out and prevent additional sessions from being opened.

A cursory CCO search shows me that there is a NAT rate-limiting feature available, but it only allows 1 NAT rate-limiting rule for the whole router! This is not feasible, as a single rouge machine would bring the router up to its max. NAT limit and prevent other users from surfing.

Additionally, I don't want to rate-limit HTTP, as that would affect the users' surfing experience as well.

I also am considering an external NAT device that would sit next to the 75XX's that could handle more sessions during a DOS, but I think that I would end up losing the Stateful NAT feature, which has proven to be a near-perfect redundancy feature that results in users never experiencing downtime during an HSRP failover.

Any comments or suggestions are sincerely appreciated.

Labels:
0 Helpful
1 Reply 1

owillins
Level 6
Level 6

‎02-13-2004 12:18 PM

The best solution is to use IDS, since it will detect the connections started by the virus and do blocking.

As you already mentioned, to limit the number of NAT entries, on IOS you can do "ip nat translation max-entries", this will limit the NAT entries in the nat table, so that it doesn't go beyond a certain level. However this is a global command, you can't do it per ip pool. A single user might take up all available connections, this will not load the router, but other users can't connect anymore.

0 Helpful
Customers Also Viewed These Support Documents