Monitoring Syn Attacks Using Tcp Intercept - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 5
Managing Security Contexts
The summary option shows the total for all contexts together. For example, the denied column shows
the items that have been denied for each context limit. The system option shows the counts for the entire
system. For the limit and denied counts, for example, you only see a number in the denied column if the
system limit is reached, not if one or more context limits are reached.
For the resource name, see
The detail keyword shows the resources you can limit in a class, plus other system resources for which
you cannot configure limits.
The counter counter_name is one of the following keywords:
•
•
•
•
The count_threshold sets the number above which resources are shown. The default is 1. If the usage of
the resource is below the number you set, then the resource is not shown. If you specify all for the
counter name, then the count_threshold applies to the current usage.
To show all resources, set the count_threshold to 0.
Note
The following sample display shows the resource usage for all contexts and all resources.
FWSM# show resource usage summary
Resource
Syslogs [rate]
Conns
Xlates
Hosts
Conns [rate]
Fixups [rate]
U = Some contexts are unlimited and are not included in the total.
S = All contexts are unlimited; system limit is shown.
Monitoring SYN Attacks using TCP Intercept
TCP intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding
attack consists of a series of SYN packets usually originating from spoofed IP addresess. The constant
flood of SYN packets keeps the server's SYN queue full which prevents it from servicing connection
requests. When the embryonic connection threshold of a connection is crossed, the FWSM acts as a
proxy for the server and generates a SYN-ACK response to the client's SYN request. When the FWSM
receives an ACK back from the client, it can then authenticate the client and allow the connection to the
server.
You can monitor the rate of attacks for individual contexts using the show perfmon command; you can
monitor the amount of resources being used by TCP intercept for individual contexts using the show
resource usage detail command; you can monitor the resources being used by TCP intercept for the
entire system using the show resource usage summary detail command.
OL-6392-01
Table 5-1 on page 5-15
current—Shows the active concurrent instances or the current rate of the resource.
peak—Shows the peak concurrent instances, or the peak rate of the resource since the statistics were
last cleared, either using the clear resource usage command or because the device rebooted.
denied—Shows the number of denied uses of the resource, since the resource statistics were last
cleared.
all—(Default) Shows all statistics.
Current
1743
584
8526
254
270
270
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
for resource names.
Peak
Limit
Denied Context
2132
12000(U)
763
100000(S)
8966
93400
254
262144
535
42200
1704 Summary
535
100000(S)
Monitoring Security Contexts
0 Summary
0 Summary
0 Summary
0 Summary
0 Summary
5-29
Advertisement
Table of Contents
Troubleshooting
