09-23-2012 06:20 AM - edited 03-07-2019 09:02 AM
Referring to following link, it provides a list of default value for firewall setting,
I would like to know how to determine any appropriated DoS parameters adjusted to your network's normal behavior, and prevent any DoS protection mechanism, causing application failures, poor network performance, and high CPU utilization on the Cisco IOS Firewall router.
Will those default value be the most acceptable levels on balancing between network's normal behavior and DoS protection?
Does anyone have any suggestions?
Thanks in advance for any suggestions
ip inspect max-incomplete high value (default 500)
ip inspect max-incomplete low value (default 400)
ip inspect one-minute high value (default 500)
ip inspect one-minute low value (default 400)
ip inspect tcp max-incomplete host value (default 50) [block-time minutes (default 0)]
09-23-2012 08:56 AM
Duplicated post
Best Regards
Giuseppe
09-23-2012 04:40 PM
There is network connection issue when I post the first question, so I assume the first post is not successful, but it works now
Do you have any suggestions on how to delete the duplicated post?
09-23-2012 02:53 PM
Hi Oem,
Defines the number of half-open (incomplete) sessions that will cause the router to start deleting half-complete sessions (the high value) and stop deleting half-complete sessions (the low value). The
no version restores the default value
Defines the connection establishment rate at which the router starts deleting half-complete sessions (the high value) and stops deleting half-complete sessions (the low value). The no version restores the default value.
Defines the number of half-open (incomplete) sessions that will cause the router to start deleting half-complete sessions (the high value) and stop deleting half-complete sessions (the low value). The no version restores the default value
http://www.juniper.net/techpubs/software/erx/junose700/swcmdref-a-m/html/i-commands127.html
http://www.juniper.net/techpubs/software/erx/junose700/swcmdref-a-m/html/i-commands125.html
hope this helps.
please rate if this helps
thanks
09-23-2012 04:39 PM
Referring to following setting, what period do they refer to 400 or 500 ip inspect? one minute?
In the other words, does it mean that if firewall find any specific ip address connection more than 400 within specific time? then it will block the ip for DoS protection mechanism.
so those DoS parameters can be adjusted based on administrator's judgement on balancing between network's normal behavior and DoS protection. For better protection, if low value (30) and high value (60) are selected, does anyone have any suggestion on Pros and Cons between this setting and default one?
Does anyone have any suggestions?
Thanks everyone very much for any suggestions
ip inspect max-incomplete high value (default 500)
ip inspect max-incomplete low value (default 400)
09-23-2012 06:02 PM
Hello,
Yes , 400 or 500 ip inspect refer to 1 minute which is default.
It maintains a sum of all TCP, UDP, and Internet Control Message Protocol (ICMP) connection attempts within the prior minute of the operation of the router, whether the connections have been successful or not. A rising connection rate can be indicative of a worm infection on a private network or an attempted DoS attack against a server.
Yes you can tweak around this config but Be sure that your network is not infected with viruses or worms which may generate some connections.
http://dynamips.blogspot.co.nz/2007/09/detecing-and-protecting-against-dos.html
please rate if this helps.
thanks
09-23-2012 07:27 PM
If general public can download data from web server, but I would like to prevent any robot doing it, does anyone have any suggestions on which one (TCP, UDP, or ICMP) I should monitor on its activities? Furthermore, what is a good approach to detect robot's activities? Once I find it, then blocks its' IP for a specific period.
On the other hands, for setting the default values on firewall, if the default value is sum of all TCP, UDP, and Internet Control Message Protocol (ICMP) connection attempts within the prior minute of the operation of the router, it seems to me that there is no specific setting on only for specific connection, at this moment, I don't know which connection is to be accessed for downloading data from web server, if I change the default value, then it will apply to all connection TCP, UDP and ICMP etc.
so determining the value is my concern for not affecting other connections' usage.
Does anyone have any suggestions?
Thanks everyone very much for any suggestions
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: