Alerts. What do these mean?

Answered Question

I'm getting the following alerts on my 2851 that are filling up my logs. Can anyone help me understand what they are and how I can correct this issue?

%FW-4-ALERT_ON: getting aggressive, count (6/500) current 1-min rate: 501

%FW-4-ALERT_OFF: calming down, count (5/400) current 1-min rate: 394

Thanks

I have this problem too.
0 votes
Correct Answer by Pravin Phadte about 8 years 6 months ago

Hi,

%FW-4-ALERT_ON: getting aggressive, count (6/500) current 1-min rate: 501

%FW-4-ALERT_OFF: calming down, count (5/400) current 1-min rate: 394

In this example, the first alert message displays the number of half-open sessions (501) and the current limit (500). In the last minute, 394 connection attempts were made. From CBAC's perspective, this is the beginning of a DoS attack. The second message, ALERT OFF, indicates that the number of connections, through both dropping and normal setup completion, has fallen below the minimum threshold (400). In this case, the value is 5, indicating that CBAC dropped some and that the rest were initiated normally.

The combination of both an ON and a OFF message indicates a separate attack. These messages are used for both the maximum number of half-open sessions and the maximum number of new connection attempts in a 1-minute interval.

If a DoS attack is geared at a specific host, you would see the following alert messages:

000022: Jan 02 15:42:11.048: %FW-4-HOST_TCP_ALERT_ON:Max tcp half open connections (50) exceeded for host 192.1.1.2

000023: Jan 02 15:42:11.361: %FW-4-BLOCK_HOST:Blocking new TCP connections to host 192.1.1.2 for 2 minutes (half-open count 50 exceeded)

000024: Jan 02 15:44:11.372:%FW-4-UNBLOCK_HOST:New TCP connections to host 192.1.1.2 no longer blocked

In this example, the first message indicates that the maximum number of half-open TCP connections destined to 192.1.1.2 was exceeded (the limit is 50). The second message indicates that the blocking interval was defined at 2 minutes, so subsequent TCP connection requests are denied. The third message indicates that the 2-minute blocking interval has expired and that new connection requests are allowed to 192.1.1.2.

Context-Based Access Control (CBAC)

CBAC is the heart of the IOS Firewall feature set. CBAC Intelligently filters TCP and UDP packets based on application-layer protocol session information. You can configure CBAC to only allow traffic from the external network that was initiated from the internal network. CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.

What CBAC does NOT do?

CBAC does not provide intelligent filtering for all protocols; it only works for the protocols that you specify. If you do not specify a certain protocol for CBAC, the existing access lists will determine how that protocol is filtered. No temporary openings will be created for protocols not specified for CBAC inspection. CBAC does not protect against attacks originating from within the protectednetwork.CBAC protects against certain attacks, but should not be considered a perfect, impenetrable defense. CBAC detects and prevents most of the popular attackson your network.

Its depends on the configuration that has been done on the device. I feel we cant end up saying this is a DOS attack.

Hope this is helpful.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 06/03/2008 - 07:16

Chad

I agree not great in terms of IP address details. Bear in mind as well that the documentation is careful to say it may be a DOS attack as quite often this could be legitimate traffic.

You could log all access which would show you the IP addresses attempting to connect but that would really fill your logs up very quickly indeed. You could temporarily log all access if this is happening all the time and then you would at least see the source IP addresses although whether that would help is debatable.

Jon

Correct Answer
Pravin Phadte Tue, 06/03/2008 - 07:33

Hi,

%FW-4-ALERT_ON: getting aggressive, count (6/500) current 1-min rate: 501

%FW-4-ALERT_OFF: calming down, count (5/400) current 1-min rate: 394

In this example, the first alert message displays the number of half-open sessions (501) and the current limit (500). In the last minute, 394 connection attempts were made. From CBAC's perspective, this is the beginning of a DoS attack. The second message, ALERT OFF, indicates that the number of connections, through both dropping and normal setup completion, has fallen below the minimum threshold (400). In this case, the value is 5, indicating that CBAC dropped some and that the rest were initiated normally.

The combination of both an ON and a OFF message indicates a separate attack. These messages are used for both the maximum number of half-open sessions and the maximum number of new connection attempts in a 1-minute interval.

If a DoS attack is geared at a specific host, you would see the following alert messages:

000022: Jan 02 15:42:11.048: %FW-4-HOST_TCP_ALERT_ON:Max tcp half open connections (50) exceeded for host 192.1.1.2

000023: Jan 02 15:42:11.361: %FW-4-BLOCK_HOST:Blocking new TCP connections to host 192.1.1.2 for 2 minutes (half-open count 50 exceeded)

000024: Jan 02 15:44:11.372:%FW-4-UNBLOCK_HOST:New TCP connections to host 192.1.1.2 no longer blocked

In this example, the first message indicates that the maximum number of half-open TCP connections destined to 192.1.1.2 was exceeded (the limit is 50). The second message indicates that the blocking interval was defined at 2 minutes, so subsequent TCP connection requests are denied. The third message indicates that the 2-minute blocking interval has expired and that new connection requests are allowed to 192.1.1.2.

Context-Based Access Control (CBAC)

CBAC is the heart of the IOS Firewall feature set. CBAC Intelligently filters TCP and UDP packets based on application-layer protocol session information. You can configure CBAC to only allow traffic from the external network that was initiated from the internal network. CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.

What CBAC does NOT do?

CBAC does not provide intelligent filtering for all protocols; it only works for the protocols that you specify. If you do not specify a certain protocol for CBAC, the existing access lists will determine how that protocol is filtered. No temporary openings will be created for protocols not specified for CBAC inspection. CBAC does not protect against attacks originating from within the protectednetwork.CBAC protects against certain attacks, but should not be considered a perfect, impenetrable defense. CBAC detects and prevents most of the popular attackson your network.

Its depends on the configuration that has been done on the device. I feel we cant end up saying this is a DOS attack.

Hope this is helpful.

Actions

This Discussion