IDS IP blocking limitations

shamilton-wilkes · ‎08-10-2004

I have experimented with automated blocking, using an IDSM-2 to control ACLs on my edge 7200's. The issues I had were with the very low limits on manual blocking and manual whitelists. Also my preblock and postblock ACLs are 1000 lines long in total and change frequently. What's lacking is a 'refresh' command in IDS MC, to make the IDS re-integrate changes to the pre-and post block lists. I'd also like a way to label entries in the manual blocks and whitelist entries, so that other console users can see why those IPs are blocked/whitelisted.

My biggest issue is the 250 block limit - we regularly get DDoSed by far more than this, has anyone had any issues with setting this at 1000 or so?

TIA

Simon

umedryk · ‎08-16-2004

As far as my knowledge goes, there should be no issues in this.

astuckey · ‎08-24-2004

Long router ACLS can cause significant CPU consumption. This will likely be traffic dependent. PIX devices deal better with a large shun list. If you are going to greatly raise the shun limit, I would highly recommend using a PIX.

proxel · ‎09-07-2004

Hi Simon,

I'm working with a IDS4215.

In order to refresh the pre/post-block ACL, I select, via IDM, the Configuration Tab, then Blocking -> Router Blocking Device Interfaces -> I select the device I want to update -> Edit -> Apply to Sensor.

HTH

Stefano

marcabal · ‎09-07-2004

If you change the Pre and/or Post ACLs, then I generally recommend that you temporarily tell the sensor to stop making changes on the router.

We have situations (most often with low end routers) where the router can get confused if the sensor is making ACL changes on the router at the same time a network administrator is making changes in the router's config.

To prevent this problem I generally tell customers to temporarily disable blocking while making the changes. This is best done through IDM or CLI since it is a temporary change on the sensor (instead of IDS MC which doesn't have this feature because the IDS MC is built more for maintaining permanent configuration changes).

For IDM:

1) Access the Blocking configuration screen:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#32439

2) Uncheck the "Enable Blocking" checkbox.

3) Click on Apply to Sensor

The sensor should now stop communicating with the routers.

If you've already updated the router cojnfig then proceeed to step 4.

If not, then now network administrator can go and reconfigure the router as needed (adding entries to the pre and post acls for example) without having to worry about the sensor changing the configuration underneath them.

When finished go to step 4.

4) Get back to the same Blocking configuration window.

5) Check the Enable Blocking checkbox.

6) Click on Apply to Sensor.

The sensor should reconnect to the devices, and the first thing it will do is read in the modified configuration. So if you've changed the Pre and Post ACLs it will read in those changes and use those for the new ACLs it creates.

As for the number of blocks that the sensor can do, the real issue is your router and not the sensor. Most low end routers support fewer ACL entries than higher end routers. So if the sensor is managing a slower router then reduce the number of blocks.

The other issues is the number of interface/directions are being managed on that router. If only one interface/direction is being managed then only 1 acl created by the sensor will be active at a time. BUT if you manage 6 interfaces/directions then 6 acls will be active. Just like with the number of entries in the ACL, the number of actual ACLs also makes a difference on the router.

I would recommend starting with the default 250 and slowly increasing it by 25 or 50. Eventually you will either reach the 1000 you want, or will reach a point that the router starts having issues.

You might also consider reading the documents on your routers, and you may be able to actually find the number of acl entries your router can support.