Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Alerts. What do these mean?

I'm getting the following alerts on my 2851 that are filling up my logs. Can anyone help me understand what they are and how I can correct this issue?

%FW-4-ALERT_ON: getting aggressive, count (6/500) current 1-min rate: 501

%FW-4-ALERT_OFF: calming down, count (5/400) current 1-min rate: 394

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Alerts. What do these mean?

Hi,

%FW-4-ALERT_ON: getting aggressive, count (6/500) current 1-min rate: 501

%FW-4-ALERT_OFF: calming down, count (5/400) current 1-min rate: 394

In this example, the first alert message displays the number of half-open sessions (501) and the current limit (500). In the last minute, 394 connection attempts were made. From CBAC's perspective, this is the beginning of a DoS attack. The second message, ALERT OFF, indicates that the number of connections, through both dropping and normal setup completion, has fallen below the minimum threshold (400). In this case, the value is 5, indicating that CBAC dropped some and that the rest were initiated normally.

The combination of both an ON and a OFF message indicates a separate attack. These messages are used for both the maximum number of half-open sessions and the maximum number of new connection attempts in a 1-minute interval.

If a DoS attack is geared at a specific host, you would see the following alert messages:

000022: Jan 02 15:42:11.048: %FW-4-HOST_TCP_ALERT_ON:Max tcp half open connections (50) exceeded for host 192.1.1.2

000023: Jan 02 15:42:11.361: %FW-4-BLOCK_HOST:Blocking new TCP connections to host 192.1.1.2 for 2 minutes (half-open count 50 exceeded)

000024: Jan 02 15:44:11.372:%FW-4-UNBLOCK_HOST:New TCP connections to host 192.1.1.2 no longer blocked

In this example, the first message indicates that the maximum number of half-open TCP connections destined to 192.1.1.2 was exceeded (the limit is 50). The second message indicates that the blocking interval was defined at 2 minutes, so subsequent TCP connection requests are denied. The third message indicates that the 2-minute blocking interval has expired and that new connection requests are allowed to 192.1.1.2.

Context-Based Access Control (CBAC)

CBAC is the heart of the IOS Firewall feature set. CBAC Intelligently filters TCP and UDP packets based on application-layer protocol session information. You can configure CBAC to only allow traffic from the external network that was initiated from the internal network. CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.

What CBAC does NOT do?

CBAC does not provide intelligent filtering for all protocols; it only works for the protocols that you specify. If you do not specify a certain protocol for CBAC, the existing access lists will determine how that protocol is filtered. No temporary openings will be created for protocols not specified for CBAC inspection. CBAC does not protect against attacks originating from within the protectednetwork.CBAC protects against certain attacks, but should not be considered a perfect, impenetrable defense. CBAC detects and prevents most of the popular attackson your network.

Its depends on the configuration that has been done on the device. I feel we cant end up saying this is a DOS attack.

Hope this is helpful.

5 REPLIES
Hall of Fame Super Blue

Re: Alerts. What do these mean?

They are possible signs of a denial of service attack. They are being generated by CBAC (IOS firewall) running on your router. See this link for more details:

http://www.cisco.com/en/US/docs/ios/11_3/feature/guide/firewall.html#wp18517

Jon

New Member

Re: Alerts. What do these mean?

Thanks Jon. So if I am getting DOS attacks on my router, how can I determine who or which IP is sending the attacks and on which port? These alerts aren't very descriptive.

Chad

Hall of Fame Super Blue

Re: Alerts. What do these mean?

Chad

I agree not great in terms of IP address details. Bear in mind as well that the documentation is careful to say it may be a DOS attack as quite often this could be legitimate traffic.

You could log all access which would show you the IP addresses attempting to connect but that would really fill your logs up very quickly indeed. You could temporarily log all access if this is happening all the time and then you would at least see the source IP addresses although whether that would help is debatable.

Jon

Re: Alerts. What do these mean?

Hi,

%FW-4-ALERT_ON: getting aggressive, count (6/500) current 1-min rate: 501

%FW-4-ALERT_OFF: calming down, count (5/400) current 1-min rate: 394

In this example, the first alert message displays the number of half-open sessions (501) and the current limit (500). In the last minute, 394 connection attempts were made. From CBAC's perspective, this is the beginning of a DoS attack. The second message, ALERT OFF, indicates that the number of connections, through both dropping and normal setup completion, has fallen below the minimum threshold (400). In this case, the value is 5, indicating that CBAC dropped some and that the rest were initiated normally.

The combination of both an ON and a OFF message indicates a separate attack. These messages are used for both the maximum number of half-open sessions and the maximum number of new connection attempts in a 1-minute interval.

If a DoS attack is geared at a specific host, you would see the following alert messages:

000022: Jan 02 15:42:11.048: %FW-4-HOST_TCP_ALERT_ON:Max tcp half open connections (50) exceeded for host 192.1.1.2

000023: Jan 02 15:42:11.361: %FW-4-BLOCK_HOST:Blocking new TCP connections to host 192.1.1.2 for 2 minutes (half-open count 50 exceeded)

000024: Jan 02 15:44:11.372:%FW-4-UNBLOCK_HOST:New TCP connections to host 192.1.1.2 no longer blocked

In this example, the first message indicates that the maximum number of half-open TCP connections destined to 192.1.1.2 was exceeded (the limit is 50). The second message indicates that the blocking interval was defined at 2 minutes, so subsequent TCP connection requests are denied. The third message indicates that the 2-minute blocking interval has expired and that new connection requests are allowed to 192.1.1.2.

Context-Based Access Control (CBAC)

CBAC is the heart of the IOS Firewall feature set. CBAC Intelligently filters TCP and UDP packets based on application-layer protocol session information. You can configure CBAC to only allow traffic from the external network that was initiated from the internal network. CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.

What CBAC does NOT do?

CBAC does not provide intelligent filtering for all protocols; it only works for the protocols that you specify. If you do not specify a certain protocol for CBAC, the existing access lists will determine how that protocol is filtered. No temporary openings will be created for protocols not specified for CBAC inspection. CBAC does not protect against attacks originating from within the protectednetwork.CBAC protects against certain attacks, but should not be considered a perfect, impenetrable defense. CBAC detects and prevents most of the popular attackson your network.

Its depends on the configuration that has been done on the device. I feel we cant end up saying this is a DOS attack.

Hope this is helpful.

New Member

Re: Alerts. What do these mean?

Yes, this was very helpful.

I was able to run a "show IP inspect session" to see my half open connections. It didn't see anything out of the ordinary to be concerned about so I turned my inspect alerts off.

thanks for all your help!

1110
Views
0
Helpful
5
Replies