Table of Contents
Advertisement
Chapter 33
Configuring Denial of Service Protection
Both factors are configured with low and high values.
If the number of incomplete connections exceed 1,100, or the number of connections arriving in the last
one-minute period exceed 1,100, each new arriving connection causes the oldest partial connection (or
a random connection) to be deleted. These are the default values, which can be altered. When either of
the thresholds is exceeded, the TCP intercept assumes the server is under attack and goes into aggressive
mode with the following reactions:
•
•
•
Note
TCP flows are hardware assisted on the PFC3B.
ARP Policing
During an attack, malicious users may try to overwhelm the PISA CPU with control packets such as
routing protocol or ARP packets. These special control packets can be hardware rate limited using a
specific routing protocol and an ARP policing mechanism configurable with the mls qos protocol
command. The routing protocols supported include RIP, BGP, LDP, OSPF, IS-IS, IGRP, and EIGRP. For
example, the command mls qos protocol arp police 32000 rate limits ARP packets in hardware at
32,000 bps. Although this policing mechanism effectively protects the PISA CPU against attacks such
as line-rate ARP attacks, it does not only police routing protocols and ARP packets to the switch but also
polices traffic through the box with less granularity than CoPP.
The policing mechanism shares the root configuration with a policing-avoidance mechanism. The
policing-avoidance mechanism lets the routing protocol and ARP packets flow through the network
when they reach a QoS policer. This mechanism can be configured using the mls qos protocol protocol
pass-through command.
This example shows how to display the available protocols to use with ARP policing.
Router(config)# mls qos protocol ?
isis
eigrp
ldp
ospf
rip
bgp
ospfv3
bgpv2
ripng
neigh-discover
wlccp
arp
This example shows how to display the available keywords to use with the mls qos protocol arp
command:
Router(config)# mls qos protocol arp ?
pass-through
police
precedence
OL-11439-03
Each new arriving connection causes the oldest partial (or random partial) to be deleted.
The initial retransmission timeout is reduced by half to 0.5 seconds, and so the total time trying to
establish the connection is cut in half.
In watch mode, the watch timeout is reduced by half.
When both thresholds fall below the configured low value, the aggressive behavior ceases
(default value is 900 in both factors).
pass-through keyword
police keyword
change ip-precedence(used to map the dscp to cos value)
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
Understanding How DoS Protection Works
33-5
- Quick Links:
- Product Overview
Hide quick links:
Advertisement
Table of Contents
Related Manuals for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
Related Products for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
- Cisco WAN Modeling Tools
- Cisco WS-SUP720-3B - Supervisor Engine 720
- Cisco WS-SVC-AGM-1-K9= - Anomaly Guard Module
- Cisco WS-SVC-CMM-ACT-RF - Conferencing And Transcoding Port Adapter Voice DSP Module
- Cisco WS-SVC-ADM-1-K9= - Traffic Anomaly Detector Module
- Cisco WS-SVC-FWM-1-K9= - Firewall Service Module
- Cisco WS-SVC-IDS2-BUN-K9 - Intrusion Detection Sys Module 2
- Cisco WS-SVC-IPSEC-1= - IPSec VPN Services Module