Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ovt Bronze
Bronze

CBAC: how to block infected host?

Hi!

Is it possible to block a host infected by a worm and generating lots of TCP SYNs using IOS Firewall and/or other IOS features?

IPS appliance is not an option in our net. We have just IOS router - nothing else.

Unfortunately

ip inspect tcp max-incomplete host N block-time minutes

blocks DestinationIP, not the SourceIP.

Is it possible to use IOS IPS and Sig 3050 with "deny-attacker-inline" to achieve our goal?

Any ideas?

  • Firewalling
2 REPLIES
ovt Bronze
Bronze

Re: CBAC: how to block infected host?

The same is acceptable for IOS IPS? Not sure. Most of the IOS IPS functionality is not production-ready. Simply put, it doesn't work at all. You cannot even edit signature parameters in post-12.4(11)T (IPS5) releases, because SDM is broken. IOS IPS still lacks many important micro-engines. It is vulnerable to simple evasion attacks. And it doesn't work with IEV due to an unknown bug.

Did _you_ test Sig 3050 in IOS IPS?

In my understanding, IOS Firewall CBAC code itself should have functionality to block a host initiating to many TCP sessions (or too many half-open TCP sessions). (BTW Sig 3050 _is_ based on the CBAC code). And I don't understand why is this not implemented by cisco.

101
Views
0
Helpful
2
Replies