TCP Intercept causing high CPU utilization

Unanswered Question
b.carbery Sun, 03/21/2004 - 17:58
User Badges:

You could try one of the other firewall features e.g. IDS or CBAC. IDS is really the ideal one for this situation but much more complicated to implement than TCP Intercept.

revangelista Mon, 03/22/2004 - 13:32
User Badges:

yes, IDS is usually intended to 'sniff' malicious traffic and 'normally' does not have the capacity to 'stop' the activity. however, there are Cisco devices that are capable of dynamically applying a 'shun' of the offending IP addresses when triggered by an IDS event.

you really should either be upgrading your router to a more robust and capable hardware, however, the CPU issue will not necessarily go away. it is a router and not a firewall. a dedicated firewall will handle these attacks more reliably and with greater precision.

there is a feature called 'embryonic limit' in a PIX firewall that works very well for these types of attack. other security vendors offer similar 'SYN Blocking' features so look around.


This Discussion