cisco.com/en/US/docs/ios/12_0/security/configuration/guide/sccbac.html#wp4154.
Per-Host DoS Prevention
CBAC provides a more aggressive TCP-based host-specific DoS prevention. CBAC monitors the total number of
half-open connections initiated to the same destination host address. When the number of incomplete (halfopen)
TCP connections exceeds the configured threshold, CBAC blocks all subsequent connections to the host
for the specified block-time, thereby preventing the flood. To configure per-host CBAC monitoring, use the ip
inspect tcp max-incomplete host command. Refer to Table 5-1 for more details on this command.
Example 5-4 shows how to change the max-incomplete host to 100 half-open sessions, with block-time timeout
to 5 minutes.
Example 5-4. Per-Host CBAC Monitoring for DoS Prevention
Router(config)# ip inspect tcp max-incomplete host 100 block-time 5
CBAC-Supported Protocols
CBAC can be enabled to inspect all TCP and UDP sessions, regardless of the application-layer protocol. This
method is called single-channel, or generic, TCP/UDP inspection. For TCP/UDP generic inspection to work, the
return traffic must have the same source/destination IP address and port numbers. It must also be within the
sequence number window.
Pages:
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223