пятница, 17 августа 2012 г.

Denial of Service Tuning for Cisco IOS Software Firewall and IPS


Cisco IOS Stateful Packet Inspection provides protection from DoS attacks as a default when an inspection rule is applied. The DoS protection is enabled on the interface, in the direction in which the firewall is applied, for the protocols that the firewall policy is configured to inspect. DoS protection is only enabled on network traffic if the traffic enters or leaves an interface with inspection applied in the same direction of the traffic's initial movement. Cisco IOS Firewall inspection provides several adjustable values to protect against DoS attacks. These settings have default values that may interfere with proper network operation if they are not configured for the appropriate level of network activity in networks where connection rates will exceed the defaults:
ip inspect max-incomplete high value (default 500)
ip inspect max-incomplete low value (default 400)
ip inspect one-minute high value (default 500)
ip inspect one-minute low value (default 400)
ip inspect tcp max-incomplete host value (default 50) [block-time minutes (default 0)]
These parameters allow you to configure the points at which your firewall router's DoS protection begins to take effect. When your router's DoS counters exceed the default or configured values, the router will reset one old half-open connection for every new connection that exceeds the configured max-incomplete or one-minute high values, until the number of half-open sessions drops below the max-incomplete low values. The router will send a syslog message if logging is enabled, and if an intrusion prevention system (IPS) is configured on the router, the firewall router will send a DoS signature message via Security Device Event Exchange (SDEE). If the DoS parameters are not adjusted to your network's normal behavior, normal network activity may trigger the DoS protection mechanism, causing application failures, poor network performance, and high CPU utilization on the Cisco IOS Firewall router.
While you cannot "disable" your firewall's DoS protection, you can adjust the DoS protection so that it will not take effect unless a very large number of half-open connections are present in your firewall router's Stateful Inspection session table.
Follow this procedure to tune your firewall's DoS protection to your network's activity:


Step 1. Be sure your network is not infected with viruses or worms that could lead to erroneously large half-open connection values and attempted connection rates. If your network is not "clean", there is no way to properly adjust your firewall's DoS protection.
Step 2. Set the max-incomplete high values to very high values:
ip inspect max-incomplete high 20000000
ip inspect one-minute high 100000000
ip inspect tcp max-incomplete host 100000 block-time 0
This will prevent the router from providing DoS protection while you observe your network's connection patterns. If you wish to leave DoS protection disabled, stop following this procedure now.

Step 3. Clear the Cisco IOS Firewall statistics, using the following command:
show ip inspect statistics reset

Step 4. Leave the router configured in this state for some time, perhaps as long as 24 to 48 hours, so you can observe the network's pattern over a full day's activity cycle.

Note: While the values are adjusted to very high levels, your network will not benefit from Cisco IOS Firewall or IPS DoS protection.


Step 5. After the observation period, check the DoS counters with the following command. The parameters you must observe to tune your DoS protection are highlighted in bold:
router#show ip inspect statistics
Packet inspection statistics [process switch:fast switch]
tcp packets: [528:22519]
udp packets: [318:0]
Interfaces configured for inspection 1
Session creations since subsystem startup or last reset 766
Current session counts (estab/half-open/terminating) [1:0:0]
Maxever session counts (estab/half-open/terminating) [48:12:5]
Last session created 00:12:21
Last statistic reset never
Last session creation rate 0
Last half-open session total 0

Step 6. Configure "ip inspect max-incomplete high" to a value 25-percent higher than your router's indicated maxever session count half-open value. A 1.25 multiplier offers 25-percent headroom above observed behavior.
For example:
Maxever session count (estab/half-open/terminating) [920:460:331]
460 * 1.25 = 575
Thus, configure:
router(config)#ip inspect max-incomplete high 575

Step 7. Configure "ip inspect max-incomplete low" to the value your router displayed for its maxever session count half-open value.
For example:
Maxever session counts (estab/half-open/terminating) [920:460:331]
Thus, configure:
router(config)#ip inspect max-incomplete low 460

Step 8. The counter for "ip inspect one-minute high" and "one-minute low" maintains a sum of all TCP, UDP, and Internet Control Message Protocol (ICMP) connection attempts during the preceding minute of the router's operation, whether the connections have been successful or not. A rising connection rate could be indicative of a worm infection on a private network, or an attempted DoS attack against a server.
Cisco IOS Software does not maintain a value of the maxever one-minute connection rate, so you must calculate the value you will apply based on observed maxever values. While the maximum indicated values for established, half-open, and terminating sessions are unlikely to occur in the same instant, the calculated values used for the one-minute settings have been observed to be reasonably accurate. To calculate the ip inspect one-minute low value, add the indicated "established" value by three.
For example:
Maxever session counts (estab/half-open/terminating) [920:460:331]
920 * 3 = 2760
Thus, configure:
ip inspect one-minute low 2760

Step 9. Calculate and configure "ip inspect one-minute high". The ip inspect one-minute high value should be 25-percent greater than the calculated one-minute low value.
For example:
ip inspect one-minute low (2760) * 1.25 = 3450
Thus, configure:
ip inspect one-minute high 3450

Step 10. You will need to define a value for "ip inspect tcp max-incomplete host" according to your understanding of your servers' capability.
Step 11. Monitor your network's DoS protection activity. Ideally, you should use a syslog server and record occurrences of DoS attack detection. If detection happens very frequently, you may need to monitor and adjust your DoS protection parameters.

источник: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd804e5098.html