Zone-Policy Firewall provides protection from DoS attack by default when a Zone-Policy Firewall is applied. The DoS protection is enabled on the zone-pair, in the direction in which the firewall is applied, for each class-map that the firewall policy is configured to inspect. DoS protection is only applied to network traffic if the inspect action is applied to traffic matching the class-map. Zone-Policy Firewall provides several adjustable values to protect against DoS attacks.
While you cannot "disable" your firewall's DoS protection, you can adjust the DoS protection so that it will not take effect unless a very large number of half-open connections are present in your firewall router's session table.
Follow this procedure to tune your firewall's DoS protection to your network's activity:
1. Be sure your network is not infected with viruses or worms that could lead to erroneously large half-open connection values and attempted connection rates. If your network is not a "clean slate," there is no way to properly adjust your firewall's DoS protection.
2. Define a parameter-map and set the max-incomplete high values to very high values:
parameter-map type inspect DoS-param-map
max-incomplete high 20000000
one-minute high 100000000
tcp max-incomplete host 100000 block-time 0
Apply the parameter-map to every class-map's inspection action:
policy-map type inspect z1-z2-pmap
class type inspect my-cmap
inspect DoS-param-map
Note: If your router is running Cisco IOS Software Release 12.4(11)T, you do not need to raise the default DoS Protection values, because they are already set to their maximum limits.
This will prevent the router from providing DoS protection for the time being while you observe your network's connection patterns. If you wish to leave DoS protection disabled, stop following this procedure now.
3. Clear the Cisco IOS Firewall statistics, using the following command:
clear zone-pair counter
4. Leave the router configured in this state for some time, perhaps as long as 24 to 48 hours, so you can observe the network's pattern over a full day's activity cycle. While the values are adjusted to very high levels, your network will not benefit from Cisco IOS Firewall or IPS DoS protection.
5. After waiting for some observation period, check the DoS counters with the following command. The parameters you must observe to tune your DoS protection are highlighted in bold text:
router#sh policy-map type inspect zone-pair priv-pub
Zone-pair: priv-pub
Service-policy inspect : priv-pub-pol
Class-map: priv-pub-cmap (match-all)
Match: access-group 111
Match: class-map match-any all-proto-cmap
Match: protocol tcp
24009 packets, 671569 bytes
30 second rate 0 bps
Match: protocol udp
42403 packets, 3244932 bytes
30 second rate 0 bps
Match: protocol icmp
6 packets, 240 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [14239:726275]
udp packets: [43748:1572372]
icmp packets: [2:19]
Session creations since subsystem startup or last reset 46282
Current session counts (estab/half-open/terminating) [45:22:10]
Maxever session counts (estab/half-open/terminating) [92:46:33]
Last session created 00:00:45
Last statistic reset never
Last session creation rate 1
Maxever session creation rate 270
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop (default action)
80254 packets, 8678464 bytes
Note: If the software image installed in your router is not Cisco IOS Software Release 12.4(11)T or newer, you will not see the "maxever session creation rate" statistic in your "sh policy-map type inspect zone-pair" output.
6. Configure the parameter-map's "max-incomplete high" to a value 25 percent higher than your router's indicated maxever session count half-open value. A 1.25 multiplier offers 25 percent headroom above observed behavior.
For example:
Maxever session count (estab/half-open/terminating) [92:46:33]
46 * 1.25 = 58, thus, configure:
parameter-map type inspect DoS-param-map
max-incomplete high 58
7. Configure "max-incomplete low" to the value your router displayed for its maxever session count half-open value.
For example:
Maxever session counts (estab/half-open/terminating) [92:46:33]
Thus, configure:
parameter-map type inspect DoS-param-map
max-incomplete low 46
8. Cisco IOS Software Release 12.4(11)T introduced a new counter to track the maximum one-minute rate the router has reached since the last restart or statistic reset. If you have Cisco IOS Software Release 12.4(11)T or a newer software version, you may simply apply the "maxever session creation rate" value for the "one-minute low" value in your parameter map.
For example:
Maxever session creation rate 270
Thus, configure:
parameter-map type inspect DoS-param-map
one-minute low 270
9. Configure the parameter-map's "max-incomplete high" to a value 25 percent higher than your router's indicated maxever session creation rate value. A 1.25 multiplier offers 25 percent headroom above observed behavior.
For example:
Maxever session creation rate 270
270 * 1.25 = 338 (after rounding), thus, configure:
parameter-map type inspect DoS-param-map
one-minute high 338
12. You will need to define a value for "ip inspect tcp max-incomplete host" according to your understanding of your servers' capability.
13. Repeat this procedure for every inspect-type class-map contained within a policy-map that must have unique DoS protection requirements. As mentioned in Step 2 of this procedure, you may define one parameter that has very high DoS parameters for class-maps that will not need DoS protection, and use different parameter-maps for specific class-maps that need unique levels of DoS protection. If DoS protection is not required for a given policy-map's class-map's traffic, you should configure high limits for the DoS protection values, and apply the high limits to all relevant class-maps' inspection. If your router is loaded with Cisco IOS Software Release 12.4(11)T or later, the DoS protection is already effectively disabled through the default high DoS protection values.
14. Monitor your network's DoS protection activity. Ideally, you should use a syslog server and record occurrences of DoS attack detection. If detection happens very frequently, you may need to monitor and adjust your DoS protection parameters.
No comments:
Post a Comment