CBAC: how to block infected host?

ovt · ‎09-17-2007

Hi!

Is it possible to block a host infected by a worm and generating lots of TCP SYNs using IOS Firewall and/or other IOS features?

IPS appliance is not an option in our net. We have just IOS router - nothing else.

Unfortunately

ip inspect tcp max-incomplete host N block-time minutes

blocks DestinationIP, not the SourceIP.

Is it possible to use IOS IPS and Sig 3050 with "deny-attacker-inline" to achieve our goal?

Any ideas?

a.alekseev · ‎09-17-2007

http://cisco.com/en/US/products/sw/voicesw/ps556/products_security_notice09186a00801aedd6.html

http://cisco.com/en/US/products/products_security_advisory09186a00801d3afb.shtml

-----------------------------------

http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df7a.html#wp1037102

the same are acceptable for IOS IPS

ovt · ‎09-17-2007

The same is acceptable for IOS IPS? Not sure. Most of the IOS IPS functionality is not production-ready. Simply put, it doesn't work at all. You cannot even edit signature parameters in post-12.4(11)T (IPS5) releases, because SDM is broken. IOS IPS still lacks many important micro-engines. It is vulnerable to simple evasion attacks. And it doesn't work with IEV due to an unknown bug.

Did _you_ test Sig 3050 in IOS IPS?

In my understanding, IOS Firewall CBAC code itself should have functionality to block a host initiating to many TCP sessions (or too many half-open TCP sessions). (BTW Sig 3050 _is_ based on the CBAC code). And I don't understand why is this not implemented by cisco.