CBAC: how to block infected host?

Unanswered Question

Hi!

Is it possible to block a host infected by a worm and generating lots of TCP SYNs using IOS Firewall and/or other IOS features?

IPS appliance is not an option in our net. We have just IOS router - nothing else.

Unfortunately

ip inspect tcp max-incomplete host N block-time minutes

blocks DestinationIP, not the SourceIP.

Is it possible to use IOS IPS and Sig 3050 with "deny-attacker-inline" to achieve our goal?

Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

The same is acceptable for IOS IPS? Not sure. Most of the IOS IPS functionality is not production-ready. Simply put, it doesn't work at all. You cannot even edit signature parameters in post-12.4(11)T (IPS5) releases, because SDM is broken. IOS IPS still lacks many important micro-engines. It is vulnerable to simple evasion attacks. And it doesn't work with IEV due to an unknown bug.

Did _you_ test Sig 3050 in IOS IPS?

In my understanding, IOS Firewall CBAC code itself should have functionality to block a host initiating to many TCP sessions (or too many half-open TCP sessions). (BTW Sig 3050 _is_ based on the CBAC code). And I don't understand why is this not implemented by cisco.

Actions

This Discussion