Limiting established TCP sessions

Unanswered Question
Oct 4th, 2007
User Badges:

Hi everyone,


I've got an extremely stupid question - is there an IOS feature which I could use to limit the number of simultaneous established TCP sessions towards a single host? Sounds like stateful inspection but haven't seen such a thing there. TCP Intercept can't work here as it monitors half-open connections and the number of SYN packets received in the last minute. I ran out of ideas, can you help?


Best Regards,


Stefan Stefanov

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
PAUL GILBERT ARIAS Thu, 10/04/2007 - 15:59
User Badges:
  • Silver, 250 points or more

Hello,

On the router I am not sure if there is an option to specify the amount of established connection per host but I was able to find a command for the IOS firewall feature set that allows certain amount of half open connections per host.

The command is:

http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfcbac.html#wp1018124


On the pix you can use an option on the NAT statement where you define the max number of connections allowed.

Check the following link for the NAT command:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129


nat [(local_interface)] id local_ip [mask [dns] [outside | [norandomseq] [max_conns [emb_limit]]]]


max_conns:

Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet. The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)


You have the same option on the static command:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694


thegrave2000 Fri, 10/05/2007 - 03:54
User Badges:

The first thing you pointed is CBAC which implements TCP Intercept which monitors only half-open connections. I know about the ASA solution but only have a 1812 router in customer premises so I'm trying to solve this with IOS. Now something else came to my mind - SLB provides a feature limiting the number of active connections:


Router(config-slb-real)# maxconns maximum-number


Specifies the maximum number of active connections allowed on the real server at one time.


The only problem is that SLB is not available for 1812:) Looking for other options now...

Actions

This Discussion