Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2025
Views
0
Helpful
5
Replies

Alerts. What do these mean?

Go to solution
cwschow
Level 1
Level 1

‎06-03-2008 06:58 AM - edited ‎03-03-2019 10:12 PM

I'm getting the following alerts on my 2851 that are filling up my logs. Can anyone help me understand what they are and how I can correct this issue?

%FW-4-ALERT_ON: getting aggressive, count (6/500) current 1-min rate: 501

%FW-4-ALERT_OFF: calming down, count (5/400) current 1-min rate: 394

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pravin Phadte
Level 5
Level 5
In response to cwschow

‎06-03-2008 07:33 AM

Hi,

%FW-4-ALERT_ON: getting aggressive, count (6/500) current 1-min rate: 501

%FW-4-ALERT_OFF: calming down, count (5/400) current 1-min rate: 394

In this example, the first alert message displays the number of half-open sessions (501) and the current limit (500). In the last minute, 394 connection attempts were made. From CBAC's perspective, this is the beginning of a DoS attack. The second message, ALERT OFF, indicates that the number of connections, through both dropping and normal setup completion, has fallen below the minimum threshold (400). In this case, the value is 5, indicating that CBAC dropped some and that the rest were initiated normally.

The combination of both an ON and a OFF message indicates a separate attack. These messages are used for both the maximum number of half-open sessions and the maximum number of new connection attempts in a 1-minute interval.

If a DoS attack is geared at a specific host, you would see the following alert messages:

000022: Jan 02 15:42:11.048: %FW-4-HOST_TCP_ALERT_ON:Max tcp half open connections (50) exceeded for host 192.1.1.2

000023: Jan 02 15:42:11.361: %FW-4-BLOCK_HOST:Blocking new TCP connections to host 192.1.1.2 for 2 minutes (half-open count 50 exceeded)

000024: Jan 02 15:44:11.372:%FW-4-UNBLOCK_HOST:New TCP connections to host 192.1.1.2 no longer blocked

In this example, the first message indicates that the maximum number of half-open TCP connections destined to 192.1.1.2 was exceeded (the limit is 50). The second message indicates that the blocking interval was defined at 2 minutes, so subsequent TCP connection requests are denied. The third message indicates that the 2-minute blocking interval has expired and that new connection requests are allowed to 192.1.1.2.

Context-Based Access Control (CBAC)

CBAC is the heart of the IOS Firewall feature set. CBAC Intelligently filters TCP and UDP packets based on application-layer protocol session information. You can configure CBAC to only allow traffic from the external network that was initiated from the internal network. CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.

What CBAC does NOT do?

CBAC does not provide intelligent filtering for all protocols; it only works for the protocols that you specify. If you do not specify a certain protocol for CBAC, the existing access lists will determine how that protocol is filtered. No temporary openings will be created for protocols not specified for CBAC inspection. CBAC does not protect against attacks originating from within the protectednetwork.CBAC protects against certain attacks, but should not be considered a perfect, impenetrable defense. CBAC detects and prevents most of the popular attackson your network.

Its depends on the configuration that has been done on the device. I feel we cant end up saying this is a DOS attack.

Hope this is helpful.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-03-2008 07:01 AM

They are possible signs of a denial of service attack. They are being generated by CBAC (IOS firewall) running on your router. See this link for more details:

http://www.cisco.com/en/US/docs/ios/11_3/feature/guide/firewall.html#wp18517

Jon

0 Helpful

Go to solution
cwschow
Level 1
Level 1
In response to Jon Marshall

‎06-03-2008 07:08 AM

Thanks Jon. So if I am getting DOS attacks on my router, how can I determine who or which IP is sending the attacks and on which port? These alerts aren't very descriptive.

Chad

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to cwschow

‎06-03-2008 07:16 AM

Chad

I agree not great in terms of IP address details. Bear in mind as well that the documentation is careful to say it may be a DOS attack as quite often this could be legitimate traffic.

You could log all access which would show you the IP addresses attempting to connect but that would really fill your logs up very quickly indeed. You could temporarily log all access if this is happening all the time and then you would at least see the source IP addresses although whether that would help is debatable.

Jon

0 Helpful

Go to solution
Pravin Phadte
Level 5
Level 5
In response to cwschow

‎06-03-2008 07:33 AM

Hi,

%FW-4-ALERT_ON: getting aggressive, count (6/500) current 1-min rate: 501

%FW-4-ALERT_OFF: calming down, count (5/400) current 1-min rate: 394

In this example, the first alert message displays the number of half-open sessions (501) and the current limit (500). In the last minute, 394 connection attempts were made. From CBAC's perspective, this is the beginning of a DoS attack. The second message, ALERT OFF, indicates that the number of connections, through both dropping and normal setup completion, has fallen below the minimum threshold (400). In this case, the value is 5, indicating that CBAC dropped some and that the rest were initiated normally.

The combination of both an ON and a OFF message indicates a separate attack. These messages are used for both the maximum number of half-open sessions and the maximum number of new connection attempts in a 1-minute interval.

If a DoS attack is geared at a specific host, you would see the following alert messages:

000022: Jan 02 15:42:11.048: %FW-4-HOST_TCP_ALERT_ON:Max tcp half open connections (50) exceeded for host 192.1.1.2

000023: Jan 02 15:42:11.361: %FW-4-BLOCK_HOST:Blocking new TCP connections to host 192.1.1.2 for 2 minutes (half-open count 50 exceeded)

000024: Jan 02 15:44:11.372:%FW-4-UNBLOCK_HOST:New TCP connections to host 192.1.1.2 no longer blocked

In this example, the first message indicates that the maximum number of half-open TCP connections destined to 192.1.1.2 was exceeded (the limit is 50). The second message indicates that the blocking interval was defined at 2 minutes, so subsequent TCP connection requests are denied. The third message indicates that the 2-minute blocking interval has expired and that new connection requests are allowed to 192.1.1.2.

Context-Based Access Control (CBAC)

CBAC is the heart of the IOS Firewall feature set. CBAC Intelligently filters TCP and UDP packets based on application-layer protocol session information. You can configure CBAC to only allow traffic from the external network that was initiated from the internal network. CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.

What CBAC does NOT do?

CBAC does not provide intelligent filtering for all protocols; it only works for the protocols that you specify. If you do not specify a certain protocol for CBAC, the existing access lists will determine how that protocol is filtered. No temporary openings will be created for protocols not specified for CBAC inspection. CBAC does not protect against attacks originating from within the protectednetwork.CBAC protects against certain attacks, but should not be considered a perfect, impenetrable defense. CBAC detects and prevents most of the popular attackson your network.

Its depends on the configuration that has been done on the device. I feel we cant end up saying this is a DOS attack.

Hope this is helpful.

0 Helpful

Go to solution
cwschow
Level 1
Level 1
In response to Pravin Phadte

‎06-03-2008 08:12 AM

Yes, this was very helpful.

I was able to run a "show IP inspect session" to see my half open connections. It didn't see anything out of the ordinary to be concerned about so I turned my inspect alerts off.

thanks for all your help!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card