Incomplete (half-open) connections mean that the
session has not completed the TCP three-way handshake; hence, the session is not established. Because UDP is
a connectionless protocol, there is no handshake mechanism; incomplete sessions (half-open) in UDP context
indicate that the firewall has detected no return traffic.
CBAC monitors the total number of half-open connections and the rate of session establishment attempts for
both TCP and UDP half-open connections. CBAC monitors these values several times per minute. Adjusting
threshold values for network connections helps prevent DoS attacks by controlling the number of half-open
sessions, thereby freeing up system resources occupied by half-open sessions.
Example 5-3 shows a CBAC session table with few half-open (incomplete) TCP connections.
Example 5-3. Sample Half-Open Connections
Router# show ip inspect session
Half-open Sessions
Session 63938D28 (10.1.1.2:11000)=>(20.1.1.2:23) tcp SIS_OPENING
Session 63938EB8 (10.1.1.2:11001)=>(20.1.1.2:25) tcp SIS_OPENING
Session 639C2343 (10.1.1.20:11012)=>(20.0.0.20:23) tcp SIS_OPENING
Session 63976A22 (10.1.1.20:11013)=>(20.0.0.20:80) tcp SIS_OPENING
When the number of half-open connections exceeds the specified threshold (using the ip inspect maxincomplete
high or ip inspect one-minute high number), CBAC will delete subsequent half-open sessions as
required to accommodate new incoming connections.
Pages:
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221