Detecting and Protecting Against DoS Attacks

SYN flood DOS attack
A SYN flood occurs when several hundred or thousand TCP SYN messages are sent to a server but never complete the TCP session. The resulting volume of half-open connections can overwhelm the server, causing it to deny service to valid requests.


Half-open Sessions
A half-open sessions is a session open in only one direction. For TCP traffic, this might mean that the session did not complete the three-way handshake. For UDP traffic, this means that return traffic was not detected.
CBAC can measure the rate and the active number of half-open sessions serveral times per minute. If the number of sessions or the rate of the new connection attempts increases above the threshold, the software deletes the half-open sessions. This deletion process continues until the rate drops below the threshold.

Cisco IOS Stateful Packet Inspection provides protection from DoS attack as a default when an inspection rule is applied.The DoS protection is enabled on the interface, in the direction in which the firewall is applied, for the protocols that the firewall policy is configured to inspect. DoS protection is only enabled on network traffic if the traffic enters or leaves an interface with inspection applied in the same direction of the traffic’s initial movement.





The counter for “ip inspect one-minute high” and “ip inspect one-minute low” maintains a sum of all TCP, UDP, and Internet Control Message Protocol (ICMP) connection attempts within the prior minute of the operation of the router, whether the connections have been successful or not.

These parameters allow you to configure the points at which your firewall router’s DoS protection begins to take effect. When your router’s
DoS counters exceed the default or configured values, the router will reset one old half-open connection for every new connection that exceeds the configured max-incomplete or one-minute high values, until the number of half-open sessions drops below the max-incomplete low values. The router will send a syslog message if logging is enabled, and if Intrusion Protection System (IPS) is configured on the router, the firewall router will send a DoS signature message via SDEE.

When the DoS counters of your router exceed the default or configured values, the router resets one old half-open connection for every new connection that exceeds the configured max-incomplete or one-minute high values until the number of half-open sessions drops below the max-incomplete low values. The router sends a syslog message if logging is enabled, and if an intrusion prevention system (IPS) is configured on the router, the firewall router sends a DoS signature message through the Security Device Event Exchange (SDEE).