- Read Me First
- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco IOS XE Firewall
- Layer 2 Transparent Firewalls
- Nested Class Map Support for Zone-Based Policy Firewall
- Zone Mismatch Handling
- Configuring Firewall Stateful Interchassis Redundancy
- Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- Interchassis High Availability Support in IPv6 Zone-Based Firewalls
- Firewall Box to Box High Availability Support for Cisco CSR1000v Routers
- Firewall Stateful Inspection of ICMP
- Firewall Support of Skinny Client Control Protocol
- Configuring the VRF-Aware Software Infrastructure
- IPv6 Zone-Based Firewall Support over VASI Interfaces
- Protection Against Distributed Denial of Service Attacks
- Configuring Firewall Resource Management
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configurable Number of Simultaneous Packets per Flow
- LISP and Zone-Based Firewalls Integration and Interoperability
- Firewall High-Speed Logging
- TCP Reset Segment Control
- Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Configuring Firewall TCP SYN Cookie
- Object Groups for ACLs
- Cisco Firewall-SIP Enhancements ALG
- MSRPC ALG Support for Firewall and NAT
- Sun RPC ALG Support for Firewalls and NAT
- vTCP for ALG Support
- ALG—H.323 vTCP with High Availability Support for Firewall and NAT
- FTP66 ALG Support for IPv6 Firewalls
- SIP ALG Hardening for NAT and Firewall
- SIP ALG Resilience to DoS Attacks
- Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
- Finding Feature Information
- Information About Protection Against Distributed Denial of Service Attacks
- How to Configure Protection Against Distributed Denial of Service Attacks
- Configuration Examples for Protection Against Distributed Denial of Service Attacks
- Example: Configuring a Firewall
- Example: Configuring the Aggressive Aging of Firewall Sessions
- Example: Configuring Firewall Event Rate Monitoring
- Example: Configuring the per-Box Half-Opened Session Limit
- Example: Configuring the Half-Opened Session Limit for an Inspect VRF Parameter Map
- Example: Configuring the Global TCP SYN Flood Limit
- Additional References for Protection Against Distributed Denial of Service Attacks
- Feature Information for Protection Against Distributed Denial of Service Attacks
Protection Against Distributed Denial of Service Attacks
The Protection Against Distributed Denial of Service Attacks feature provides protection from Denial of Service (DoS) attacks at the global level (for all firewall sessions) and at the VPN routing and forwarding (VRF) level. In Cisco IOS XE Release 3.4S and later releases, you can configure the aggressive aging of firewall sessions, event rate monitoring of firewall sessions, the half-opened connections limit, and global TCP SYN cookie protection to prevent distributed DoS attacks.
- Finding Feature Information
- Information About Protection Against Distributed Denial of Service Attacks
- How to Configure Protection Against Distributed Denial of Service Attacks
- Configuration Examples for Protection Against Distributed Denial of Service Attacks
- Additional References for Protection Against Distributed Denial of Service Attacks
- Feature Information for Protection Against Distributed Denial of Service Attacks
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Protection Against Distributed Denial of Service Attacks
Aggressive Aging of Firewall Sessions
The Aggressive Aging feature provides the firewall the capability of aggressively aging out sessions to make room for new sessions, thereby protecting the firewall session database from filling. The firewall protects its resources by removing idle sessions. The Aggressive Aging feature allows firewall sessions to exist for a shorter period of time defined by a timer called aging-out time.
The Aggressive Aging feature includes thresholds to define the start and end of the aggressive aging period—high and low watermarks. The aggressive aging period starts when the session table crosses the high watermark and ends when it falls below the low watermark. During the aggressive aging period, sessions will exist for a shorter period of time that you have configured by using the aging-out time. If an attacker initiates sessions at a rate that is faster than the rate at which the firewall terminates sessions, all resources that are allocated for creating sessions are used and all new connections are rejected. To prevent such attacks, you can configure the Aggressive Aging feature to aggressively age out sessions. This feature is disabled by default.
You can configure aggressive aging for half-opened sessions and total sessions at the box level (box refers to the entire firewall session table) and the virtual routing and forwarding (VRF) level. If you have configured this feature for total sessions, all sessions that consume firewall session resources are taken into account. Total sessions comprise established sessions, half-opened sessions, and sessions in the imprecise session database. (A TCP session that has not yet reached the established state is called a half-opened session.)
A firewall has two session databases: the session database and the imprecise session database. The session database contains sessions with 5-tuple (the source IP address, the destination IP address, the source port, the destination port, and the protocol). A tuple is an ordered list of elements. The imprecise session database contains sessions with fewer than 5-tuple (missing IP addresses, port numbers, and so on). In the case of aggressive aging for half-opened sessions, only half-opened sessions are considered.
You can configure an aggressive aging-out time for Internet Control Message Protocol (ICMP), TCP, and UDP firewall sessions. The aging-out time is set by default to the idle time.
Event Rate Monitoring Feature
The Event Rate Monitoring feature monitors the rate of predefined events in a zone. The Event Rate Monitoring feature includes basic threat detection, which is the ability of a security device to detect possible threats, anomalies, and attacks to resources inside the firewall and to take action against them. You can configure a basic threat detection rate for events. When the incoming rate of a certain type of event exceeds the configured threat detection rate, event rate monitoring considers this event as a threat and takes action to stop the threat. Threat detection inspects events only on the ingress zone (if the Event Rate Monitoring feature is enabled on the ingress zone).
The network administrator is informed about the potential threats via an alert message (syslog or high-speed logger [HSL]) and can take actions such as detecting the attack vector, detecting the zone from which the attack is coming, or configuring devices in the network to block certain behaviors or traffic.
The Event Rate Monitoring feature monitors the following types of events:
Firewall drops due to basic firewall checks failure—This can include zone or zone-pair check failures, or firewall policies configured with the drop action, and so on.
Firewall drops due to Layer 4 inspection failure—This can include TCP inspections that have failed because the first TCP packet is not a synchronization (SYN) packet.
TCP SYN cookie attack—This can include counting the number of SYN packets that are dropped and the number of SYN cookies that are sent as a spoofing attack.
The Event Rate Monitoring feature monitors the average rate and the burst rate of different events. Each event type has a rate object that is controlled by an associated rate that has a configurable parameter set (the average threshold, the burst threshold, and a time period). The time period is divided into time slots; each time slot is 1/30th of the time period.
The average rate is calculated for every event type. Each rate object holds 30 completed sampling values plus one value to hold the current ongoing sampling period. The current sampling value replaces the oldest calculated value and the average is recalculated. The average rate is calculated during every time period. If the average rate exceeds the average threshold, the Event Rate Monitoring feature will consider this as a possible threat, update the statistics, and inform the network administrator.
The burst rate is implemented by using the token bucket algorithm. For each time slot, the token bucket is filled with tokens. For each event that occurs (of a specific event type), a token is removed from the bucket. An empty bucket means that the burst threshold is reached, and the administrator receives an alarm through the syslog or HSL. You can view the threat detection statistics and learn about possible threats to various events in the zone from the output of the show policy-firewall stats zone command.
You must first enable basic threat detection by using the threat-detection basic-threat command. Once basic threat detection is configured, you can configure the threat detection rate. To configure the threat detection rate, use the threat-detection rate command.
The following table describes the basic threat detection default settings that are applicable if the Event Rate Monitoring feature is enabled.
Packet Drop Reason |
Threat Detection Settings |
---|---|
Basic firewall drops |
average-rate 400 packets per second (pps) burst-rate 1600 pps rate-interval 600 seconds |
Inspection-based firewall drops |
average-rate 400 pps burst-rate 1600 pps rate-interval 600 seconds |
SYN attack firewall drops |
average-rate 100 pps burst-rate 200 pps rate-interval 600 seconds |
Half-Opened Connections Limit
The firewall session table supports the limiting of half-opened firewall connections. Limiting the number of half-opened sessions will defend the firewall against attacks that might fill the firewall session table at the per-box level or at the virtual routing and forwarding (VRF) level with half-opened sessions and prevent sessions from being established. The half-opened connection limit can be configured for Layer 4 protocols, Internet Control Message Protocol (ICMP), TCP, and UDP. The limit set to the number of UDP half-opened sessions will not affect the TCP or ICMP half-opened sessions. When the configured half-opened session limit is exceeded, all new sessions are rejected and a log message is generated, either in syslog or in the high-speed logger (HSL).
TCP SYN-Flood Attacks
You can configure the global TCP SYN-flood limit to limit SYN flood attacks. TCP SYN-flooding attacks are a type of denial of service (DoS) attack. When the configured TCP SYN-flood limit is reached, the firewall verifies the source of sessions before creating more sessions. Usually, TCP SYN packets are sent to a targeted end host or a range of subnet addresses behind the firewall. These TCP SYN packets have spoofed source IP addresses. A spoofing attack is when a person or program tries to use false data to gain access to resources in a network. TCP SYN flooding can take up all resources on a firewall or an end host, thereby causing denial of service to legitimate traffic. You can configure TCP SYN-flood protection at the VRF level and the zone level.
Host flood—SYN flood packets are sent to a single host intending to utilize all resources on that host.
Firewall session table flood—SYN flood packets are sent to a range of addresses behind the firewall, with the intention of exhausting the session table resources on the firewall, thereby denying resources to the legitimate traffic going through the firewall.
How to Configure Protection Against Distributed Denial of Service Attacks
Configuring a Firewall
1.
enable
2.
configure terminal
3.
class-map type inspect match-any class-map-name
4.
match protocol
{icmp |
tcp |
udp}
5.
exit
6.
parameter-map type inspect global
7.
redundancy
8.
exit
9.
policy-map type inspect
policy-map-name
10.
class type inspect
class-map-name
11.
inspect
12.
exit
13.
class class-default
14.
drop
15.
exit
16.
exit
17.
zone security
security-zone-name
18.
exit
19.
zone security
security-zone-name
20.
exit
21.
zone-pair security
zone-pair-name
source
source-zone
destination
destination-zone
22.
service-policy type inspect
policy-map-name
23.
exit
24.
interface
type
number
25.
ip address
ip-address
mask
26.
encapsulation dot1q
vlan-id
27.
zone-member security
security-zone-name
28.
end
29. To attach a zone to another interface, repeat Steps 21 to 25.
DETAILED STEPS
Configuring the Aggressive Aging of Firewall Sessions
You can configure the Aggressive Aging feature for per-box (per-box refers to the entire firewall session table), default-VRF, and per-VRF firewall sessions. Before the Aggressive Aging feature can work, you must configure the aggressive aging and the aging-out time of firewall sessions.
Perform the following tasks to configure the aggressive aging of firewall sessions.
- Configuring per-Box Aggressive Aging
- Configuring Aggressive Aging for a Default VRF
- Configuring the Aging Out of Firewall Sessions
- Configuring per-VRF Aggressive Aging
Configuring per-Box Aggressive Aging
Per-box refers to the entire firewall session table. Any configuration that follows the parameter-map type inspect-global command applies to the box.
1.
enable
2.
configure terminal
3.
Enter one of the following commands:
4.
per-box max-incomplete
number
aggressive-aging high
{value
low
value |
percent
percent
low percent
percent}
5.
per-box aggressive-aging
high
{value
low
value |
percent
percent
low percent
percent}
6.
exit
7.
parameter-map type inspect
parameter-map-name
8.
tcp synwait-time
seconds
[ageout-time
seconds]
9.
end
10.
show policy-firewall stats global
DETAILED STEPS
Configuring Aggressive Aging for a Default VRF
When you configure the max-incomplete aggressive-aging command, it applies to the default VRF.
1.
enable
2.
configure terminal
3.
Enters one of the following commands:
4.
max-incomplete
number
aggressive-aging
high
{value
low
value
|
percent
percent
low percent
percent}
5.
session total
number
[aggressive-aging high
{value
low
value |
percent
percent
low percent
percent}]
6.
exit
7.
parameter-map type inspect
parameter-map-name
8.
tcp synwait-time
seconds
[ageout-time
seconds]
9.
end
10.
show policy-firewall stats vrf global
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. | ||
Step 2 | configure terminal
Example: Device# configure terminal |
Enters global configuration mode. | ||
Step 3 | Enters one of the following commands:
Example: Device(config)# parameter-map type inspect-global Device(config)# parameter-map type inspect global |
| ||
Step 4 | max-incomplete
number
aggressive-aging
high
{value
low
value
|
percent
percent
low percent
percent}
Example: Device(config-profile)# max-incomplete 3455 aggressive-aging high 2345 low 2255 |
Configures the maximum limit and the aggressive aging limit of half-opened firewall sessions. | ||
Step 5 | session total
number
[aggressive-aging high
{value
low
value |
percent
percent
low percent
percent}]
Example: Device(config-profile)# session total 1000 aggressive-aging high percent 80 low percent 60 |
Configures the total limit and the aggressive aging limit for total firewall sessions. | ||
Step 6 | exit
Example: Device(config-profile)# exit |
Exits parameter-map type inspect configuration mode and enters global configuration mode. | ||
Step 7 | parameter-map type inspect
parameter-map-name
Example: Device(config)# parameter-map type inspect pmap1 |
Configures an inspect-type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action and enters parameter-map type inspect configuration mode. | ||
Step 8 | tcp synwait-time
seconds
[ageout-time
seconds]
Example: Device(config-profile)# tcp synwait-time 30 ageout-time 10 |
Specifies how long the software will wait for a TCP session to reach the established state before dropping the session.
| ||
Step 9 | end
Example: Device(config-profile)# end |
Exits parameter-map type inspect configuration mode and enters privileged EXEC mode. | ||
Step 10 | show policy-firewall stats vrf global
Example: Device# show policy-firewall stats vrf global |
Displays global VRF firewall policy statistics. |
Configuring the Aging Out of Firewall Sessions
You can configure the aging out of ICMP, TCP, or UDP firewall sessions.
1.
enable
2.
configure terminal
3.
Enter one of the following commands:
4.
vrf
vrf-name
inspect
vrf-pmap-name
5.
exit
6.
parameter-map type inspect
parameter-map-name
7.
tcp idle-time
seconds
[ageout-time
seconds]
8.
tcp synwait-time
seconds
[ageout-time
seconds]
9.
exit
10.
policy-map type inspect
policy-map-name
11.
class type inspect match-any
class-map-name
12.
inspect
parameter-map-name
13.
end
14.
show policy-firewall stats vrf
vrf-pmap-name
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. | ||
Step 2 | configure terminal
Example: Device# configure terminal |
Enters global configuration mode. | ||
Step 3 | Enter one of the following commands:
Example: Device(config)# parameter-map type inspect-global Device(config)# parameter-map type inspectglobal |
| ||
Step 4 | vrf
vrf-name
inspect
vrf-pmap-name
Example: Device(config-profile)# vrf vrf1 inspect vrf1-pmap |
Binds a VRF with a parameter map. | ||
Step 5 | exit
Example: Device(config-profile)# exit |
Exits parameter-map type inspect configuration mode and enters global configuration mode. | ||
Step 6 | parameter-map type inspect
parameter-map-name
Example: Device(config)# parameter-map type inspect pmap1 |
Configures an inspect-type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action and enters parameter-map type inspect configuration mode. | ||
Step 7 | tcp idle-time
seconds
[ageout-time
seconds]
Example: Device(config-profile)# tcp idle-time 3000 ageout-time 100 |
| ||
Step 8 | tcp synwait-time
seconds
[ageout-time
seconds]
Example: Device(config-profile)# tcp synwait-time 30 ageout-time 10 |
Specifies how long the software will wait for a TCP session to reach the established state before dropping the session.
| ||
Step 9 | exit
Example: Device(config-profile)# exit |
Exits parameter-map type inspect configuration mode and enters global configuration mode. | ||
Step 10 | policy-map type inspect
policy-map-name
Example: Device(config)# policy-map type inspect ddos-fw |
Creates a protocol-specific inspect type policy map and enters QoS policy-map configuration mode. | ||
Step 11 | class type inspect match-any
class-map-name
Example: Device(config-pmap)# class type inspect match-any ddos-class |
Specifies the traffic class on which an action is to be performed and enters QoS policy-map class configuration mode. | ||
Step 12 | inspect
parameter-map-name
Example: Device(config-pmap-c)# inspect pmap1 |
Enables stateful packet inspection for the parameter map. | ||
Step 13 | end
Example: Device(config-pmap-c)# end |
Exits QoS policy-map class configuration mode and enters privileged EXEC mode. | ||
Step 14 | show policy-firewall stats vrf
vrf-pmap-name
Example: Device# show policy-firewall stats vrf vrf1-pmap |
Displays VRF-level policy firewall statistics. |
Example
The following is sample output from the show policy-firewall stats vrf vrf1-pmap command:
Device# show policy-firewall stats vrf vrf1-pmap VRF: vrf1, Parameter-Map: vrf1-pmap Interface reference count: 2 Total Session Count(estab + half-open): 270, Exceed: 0 Total Session Aggressive Aging Period Off, Event Count: 0 Half Open Protocol Session Cnt Exceed -------- ----------- ------ All 0 0 UDP 0 0 ICMP 0 0 TCP 0 0 TCP Syn Flood Half Open Count: 0, Exceed: 12 Half Open Aggressive Aging Period Off, Event Count: 0
Configuring per-VRF Aggressive Aging
1.
enable
2.
configure terminal
3.
ip vrf
vrf-name
4.
rd
route-distinguisher
5.
route-target export
route-target-ext-community
6.
route-target import
route-target-ext-community
7.
exit
8.
parameter-map type inspect-vrf
vrf-pmap-name
9.
max-incomplete
number
aggressive-aging
high
{value
low
value
|
percent
percent
low percent
percent}
10.
session total
number
[aggressive-aging
{high
value
low
value
|
percent
percent
low percent
percent}]
11.
alert on
12.
exit
13.
Enter one of the following commands:
14.
vrf
vrf-name
inspect
vrf-pmap-name
15.
exit
16.
parameter-map type inspect
parameter-map-name
17.
tcp idle-time
seconds
[ageout-time
seconds]
18.
tcp synwait-time
seconds
[ageout-time
seconds]
19.
exit
20.
policy-map type inspect
policy-map-name
21.
class type inspect match-any
class-map-name
22.
inspect
parameter-map-name
23.
end
24.
show policy-firewall stats vrf
vrf-pmap-name
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. | ||
Step 2 | configure terminal
Example: Device# configure terminal |
Enters global configuration mode. | ||
Step 3 | ip vrf
vrf-name
Example: Device(config)# ip vrf ddos-vrf1 |
Defines a VRF instance and enters VRF configuration mode. | ||
Step 4 | rd
route-distinguisher
Example: Device(config-vrf)# rd 100:2 |
Specifies a route distinguisher (RD) for a VRF instance. | ||
Step 5 | route-target export
route-target-ext-community
Example: Device(config-vrf)# route-target export 100:2 |
Creates a route-target extended community and exports the routing information to the target VPN extended community. | ||
Step 6 | route-target import
route-target-ext-community
Example: Device(config-vrf)# route-target import 100:2 |
Creates a route-target extended community and imports routing information from the target VPN extended community. | ||
Step 7 | exit
Example: Device(config-vrf)# exit |
Exits VRF configuration mode and enters global configuration mode. | ||
Step 8 | parameter-map type inspect-vrf
vrf-pmap-name
Example: Device(config)# parameter-map type inspect-vrf vrf1-pmap |
Configures an inspect VRF-type parameter map and enters parameter-map type inspect configuration mode. | ||
Step 9 | max-incomplete
number
aggressive-aging
high
{value
low
value
|
percent
percent
low percent
percent}
Example: Device(config-profile)# max-incomplete 2000 aggressive-aging high 1500 low 1200 |
Configures the maximum limit and the aggressive aging limit for half-opened sessions. | ||
Step 10 | session total
number
[aggressive-aging
{high
value
low
value
|
percent
percent
low percent
percent}]
Example: Device(config-profile)# session total 1000 aggressive-aging high percent 80 low percent 60 |
Configures the total session limit and the aggressive aging limit for the total sessions. | ||
Step 11 | alert on
Example: Device(config-profile)# alert on |
Enables the console display of stateful packet inspection alert messages. | ||
Step 12 | exit
Example: Device(config-profile)# exit |
Exits parameter-map type inspect configuration mode and enters global configuration mode. | ||
Step 13 | Enter one of the following commands:
Example: Device(config)# parameter-map type inspect-global Device(config)# parameter-map type inspect global |
| ||
Step 14 | vrf
vrf-name
inspect
vrf-pmap-name
Example: Device(config-profile)# vrf vrf1 inspect vrf1-pmap |
Binds a VRF with a parameter map. | ||
Step 15 | exit
Example: Device(config-profile)# exit |
Exits parameter-map type inspect configuration mode and enters global configuration mode. | ||
Step 16 | parameter-map type inspect
parameter-map-name
Example: Device(config)# parameter-map type inspect pmap1 |
Configures an inspect-type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action and enters parameter-map type inspect configuration mode. | ||
Step 17 | tcp idle-time
seconds
[ageout-time
seconds]
Example: Device(config-profile)# tcp idle-time 3000 ageout-time 100 |
Configures the timeout for idle TCP sessions and the aggressive aging-out time for TCP sessions. | ||
Step 18 | tcp synwait-time
seconds
[ageout-time
seconds]
Example: Device(config-profile)# tcp synwait-time 30 ageout-time 10 |
Specifies how long the software will wait for a TCP session to reach the established state before dropping the session.
| ||
Step 19 | exit
Example: Device(config-profile)# exit |
Exits parameter-map type inspect configuration mode and enters global configuration mode. | ||
Step 20 | policy-map type inspect
policy-map-name
Example: Device(config)# policy-map type inspect ddos-fw |
Creates a protocol-specific inspect type policy map and enters QoS policy-map configuration mode. | ||
Step 21 | class type inspect match-any
class-map-name
Example: Device(config-pmap)# class type inspect match-any ddos-class |
Specifies the traffic (class) on which an action is to be performed and enters QoS policy-map class configuration mode. | ||
Step 22 | inspect
parameter-map-name
Example: Device(config-pmap-c)# inspect pmap1 |
Enables stateful packet inspection for the parameter map. | ||
Step 23 | end
Example: Device(config-pmap-c)# end |
Exits QoS policy-map class configuration mode and enters privileged EXEC mode. | ||
Step 24 | show policy-firewall stats vrf
vrf-pmap-name
Example: Device# show policy-firewall stats vrf vrf1-pmap |
Displays VRF-level policy firewall statistics. |
Example
The following is sample output from the show policy-firewall stats vrf vrf1-pmap command:
Device# show policy-firewall stats vrf vrf1-pmap VRF: vrf1, Parameter-Map: vrf1-pmap Interface reference count: 2 Total Session Count(estab + half-open): 80, Exceed: 0 Total Session Aggressive Aging Period Off, Event Count: 0 Half Open Protocol Session Cnt Exceed -------- ----------- ------ All 0 0 UDP 0 0 ICMP 0 0 TCP 0 0 TCP Syn Flood Half Open Count: 0, Exceed: 116 Half Open Aggressive Aging Period Off, Event Count: 0
Configuring Firewall Event Rate Monitoring
1.
enable
2.
configure terminal
3.
parameter-map type inspect-zone
zone-pmap-name
4.
alert on
5.
threat-detection basic-threat
6.
threat-detection rate fw-drop average-time-frame
seconds
average-threshold
packets-per-second
burst-threshold
packets-per-second
7.
threat-detection rate inspect-drop average-time-frame
seconds
average-threshold
packets-per-second
burst-threshold
packets-per-second
8.
threat-detection rate syn-attack average-time-frame
seconds
average-threshold
packets-per-second
burst-threshold
packets-per-second
9.
exit
10.
zone security
security-zone-name
11.
protection
parameter-map-name
12.
exit
13.
zone-pair security
zone-pair-name
source
source-zone
destination
destination-zone
14.
end
15.
show policy-firewall stats zone
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. |
Step 2 | configure terminal
Example: Device# configure terminal |
Enters global configuration mode. |
Step 3 | parameter-map type inspect-zone
zone-pmap-name
Example: Device(config)# parameter-map type inspect-zone zone-pmap1 |
Configures an inspect-zone parameter map and enters parameter-map type inspect configuration mode. |
Step 4 | alert on
Example: Device(config-profile)# alert on |
|
Step 5 | threat-detection basic-threat
Example: Device(config-profile)# threat-detection basic-threat |
Configures basic threat detection for a zone. |
Step 6 | threat-detection rate fw-drop average-time-frame
seconds
average-threshold
packets-per-second
burst-threshold
packets-per-second
Example: Device(config-profile)# threat-detection rate fw-drop average-time-frame 600 average-threshold 100 burst-threshold 100 |
|
Step 7 | threat-detection rate inspect-drop average-time-frame
seconds
average-threshold
packets-per-second
burst-threshold
packets-per-second
Example: Device(config-profile)# threat-detection rate inspect-drop average-time-frame 600 average-threshold 100 burst-threshold 100 |
Configures the threat detection rate for firewall inspection-based drop events. |
Step 8 | threat-detection rate syn-attack average-time-frame
seconds
average-threshold
packets-per-second
burst-threshold
packets-per-second
Example: Device(config-profile)# threat-detection rate syn-attack average-time-frame 600 average-threshold 100 burst-threshold 100 |
Configures the threat detection rate for TCP SYN attack events. |
Step 9 | exit
Example: Device(config-profile)# exit |
Exits parameter-map type inspect configuration mode and enters global configuration mode. |
Step 10 | zone security
security-zone-name
Example: Device(config)# zone security public |
Creates a security zone and enters security zone configuration mode. |
Step 11 | protection
parameter-map-name
Example: Device(config-sec-zone)# protection zone-pmap1 |
Attaches the inspect-zone parameter map to the zone and applies the features configured in the inspect-zone parameter map to the zone. |
Step 12 | exit
Example: Device(config-sec-zone)# exit |
Exits security zone configuration mode and enters global configuration mode. |
Step 13 | zone-pair security
zone-pair-name
source
source-zone
destination
destination-zone
Example: Device(config)# zone-pair security private2public source private destination public |
Creates a zone pair and enters security zone-pair configuration mode. |
Step 14 | end
Example: Device(config-sec-zone-pair)# end |
Exits security zone-pair configuration mode and enters privileged EXEC mode. |
Step 15 | show policy-firewall stats zone
Example: Device# show policy-firewall stats zone |
Displays policy firewall statistics at the zone level. |
Configuring the per-Box Half-Opened Session Limit
Per-box refers to the entire firewall session table. Any configuration that follows the parameter-map type inspect-global command applies to the box.
1.
enable
2.
configure terminal
3.
Enter one of the following commands:
4.
alert on
5.
per-box max-incomplete
number
6.
session total
number
7.
end
8.
show policy-firewall stats global
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. | ||
Step 2 | configure terminal
Example: Device# configure terminal |
Enters global configuration mode. | ||
Step 3 | Enter one of the following commands:
Example: Device(config)# parameter-map type inspect-global Device(config)# parameter-map type inspect global |
Configures a global parameter map for connecting thresholds and timeouts and enters parameter-map type inspect configuration mode.
| ||
Step 4 | alert on
Example: Device(config-profile)# alert on |
Enables the console display of stateful packet inspection alert messages. | ||
Step 5 | per-box max-incomplete
number
Example: Device(config-profile)# per-box max-incomplete 12345 | Configures the maximum number of half-opened connections for the firewall session table. | ||
Step 6 | session total
number
Example: Device(config-profile)# session total 34500 |
Configures the total session limit for the firewall session table. | ||
Step 7 | end
Example: Device(config-profile)# end |
Exits parameter-map type inspect configuration mode and enters privileged EXEC mode. | ||
Step 8 | show policy-firewall stats global
Example: Device# show policy-firewall stats global |
Displays global firewall statistics information. |
Configuring the Half-Opened Session Limit for an Inspect-VRF Parameter Map
1.
enable
2.
configure terminal
3.
parameter-map type inspect-vrf
vrf-name
4.
alert on
5.
max-incomplete
number
6.
session total
number
7.
exit
8.
Enter one of the following commands:
9.
alert on
10.
vrf
vrf-name
inspect
vrf-pmap-name
11.
end
12.
show policy-firewall stats vrf
vrf-pmap-name
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. | ||
Step 2 | configure terminal
Example: Device# configure terminal |
Enters global configuration mode. | ||
Step 3 | parameter-map type inspect-vrf
vrf-name
Example: Device(config)# parameter-map type inspect-vrf vrf1-pmap |
Configures an inspect-VRF parameter map and enters parameter-map type inspect configuration mode. | ||
Step 4 | alert on
Example: Device(config-profile)# alert on |
Enables the console display of stateful packet inspection alert messages. | ||
Step 5 | max-incomplete
number
Example: Device(config-profile)# max-incomplete 2000 |
Configures the maximum number of half-opened connections per VRF. | ||
Step 6 | session total
number
Example: Device(config-profile)# session total 34500 |
Configures the total session limit for a VRF. | ||
Step 7 | exit
Example: Device(config-profile)# exit |
Exits parameter-map type inspect configuration mode and enters global configuration mode. | ||
Step 8 | Enter one of the following commands:
Example: Device(config)# parameter-map type inspect-global Device(config)# parameter-map type inspect global |
| ||
Step 9 | alert on
Example: Device(config-profile)# alert on |
Enables the console display of stateful packet inspection alert messages. | ||
Step 10 | vrf
vrf-name
inspect
vrf-pmap-name
Example: Device(config-profile)# vrf vrf1 inspect vrf1-pmap |
Binds the VRF to the global parameter map. | ||
Step 11 | end
Example: Device(config-profile)# end |
Exits parameter-map type inspect configuration mode and enters privileged EXEC mode. | ||
Step 12 | show policy-firewall stats vrf
vrf-pmap-name
Example: Device# show policy-firewall stats vrf vrf1-pmap |
Displays VRF-level policy firewall statistics. |
Configuring the Global TCP SYN Flood Limit
1.
enable
2.
configure
terminal
3.
Enter one of the following commands:
4.
alert
on
5.
per-box tcp
syn-flood
limit
number
6.
end
7.
show
policy-firewall
stats
vrf
global
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. | ||
Step 2 |
configure
terminal
Example: Device# configure terminal |
Enters global configuration mode. | ||
Step 3 | Enter one of the following commands:
Example: Device(config)# parameter-map type inspect-global Device(config)# parameter-map type inspect global |
Configures a global parameter map and enters parameter-map type inspect configuration mode.
| ||
Step 4 |
alert
on
Example: Device(config-profile)# alert on |
Enables the console display of stateful packet inspection alert messages. | ||
Step 5 |
per-box tcp
syn-flood
limit
number
Example: Device(config-profile)# per-box tcp syn-flood limit 500 |
Limits the number of TCP half-opened sessions that trigger SYN cookie processing for new SYN packets. | ||
Step 6 |
end
Example: Device(config-profile)# end |
Exits parameter-map type inspect configuration mode and enters privileged EXEC mode. | ||
Step 7 |
show
policy-firewall
stats
vrf
global
Example: Device# show policy-firewall stats vrf global |
(Optional) Displays the status of the global VRF firewall policy. |
Example
The following is sample output from the show policy-firewall stats vrf global command:
Device# show policy-firewall stats vrf global Global table statistics total_session_cnt: 0 exceed_cnt: 0 tcp_half_open_cnt: 0 syn_exceed_cnt: 0
Configuration Examples for Protection Against Distributed Denial of Service Attacks
Example: Configuring a Firewall
Router# configure terminal Router(config)# class-map type inspect match-any ddos-class Router(config-cmap)# match protocol tcp Router(config-cmap-c)# exit Router(config)# parameter-map type inspect global Router(config-profile)# redundancy Router(config-profile)# exit Router(config)# policy-map type inspect ddos-fw Router(config-pmap)# class type inspect ddos-class Router(config-pmap-c)# inspect Router(config-pmap-c)# exit Router(config-pmap)# class class-default Router(config-pmap-c)# drop Router(config-pmap-c)# exit Router(config-pmap)# exit Router(config)# zone security private Router(config-sec-zone)# exit Router(config)# zone security public Router(config-sec-zone)# exit Router(config)# zone-pair security private2public source private destination public Router((config-sec-zone-pair)# service-policy type inspect ddos-fw Router((config-sec-zone-pair)# exit Router(config)# interface gigabitethernet 0/1/0.1 Router(config-subif)# ip address 10.1.1.1 255.255.255.0 Router(config-subif)# encapsulation dot1q 2 Router(config-subif)# zone-member security private Router(config-subif)# exit Router(config)# interface gigabitethernet 1/1/0.1 Router(config-subif)# ip address 10.2.2.2 255.255.255.0 Router(config-subif)# encapsulation dot1q 2 Router(config-subif)# zone-member security public Router(config-subif)# end
Example: Configuring the Aggressive Aging of Firewall Sessions
Example: Configuring per-Box Aggressive Aging
Device# configure terminal Device(config)# parameter-map type inspect global Device(config-profile)# per-box max-incomplete 2000 aggressive-aging 1500 low 1200 Device(config-profile)# per-box aggressive-aging high 1700 low 1300 Device(config-profile)# exit Device(config)# parameter-map type inspect pmap1 Device(config-profile)# tcp synwait-time 30 ageout-time 10 Device(config-profile)# end
Example: Configuring Aggressive Aging for a Default VRF
Device# configure terminal Device(config)# parameter-map type inspect global Device(config-profile)# max-incomplete 2000 aggressive-aging high 1500 low 1200 Device(config-profile)# session total 1000 aggressive-aging high percent 80 low percent 60 Device(config-profile)# exit Device(config)# parameter-map type inspect pmap1 Device(config-profile)# tcp synwait-time 30 ageout-time 10 Device(config-profile)# end
Example: Configuring the Aging Out of Firewall Sessions
Device# configure terminal Device(config-profile)# exit Device(config)# parameter-map type inspect global Device(config-profile)# vrf vrf1 inspect vrf1-pmap Device(config-profile)# exit Device(config)# parameter-map type inspect pmap1 Device(config-profile)# tcp idle-time 3000 ageout-time 100 Device(config-profile)# tcp synwait-time 30 ageout-time 10 Device(config-profile)# exit Device(config)# policy-map type inspect ddos-fw Device(config-profile)# class type inspect match-any ddos-class Device(config-profile)# inspect pmap1 Device(config-profile)# end
Example: Configuring per-VRF Aggressive Aging
Device# configure terminal Device(config)# ip vrf ddos-vrf1 Device(config-vrf)# rd 100:2 Device(config-vrf)# route-target export 100:2 Device(config-vrf)# route-target import 100:2 Device(config-vrf)# exit Device(config)# parameter-map type inspect-vrf vrf1-pmap Device(config-profile)# max-incomplete 3455 aggressive-aging high 2345 low 2255 Device(config-profile)# session total 1000 aggressive-aging high percent 80 low percent 60 Device(config-profile)# alert on Device(config-profile)# exit Device(config)# parameter-map type inspect global Device(config-profile)# vrf vrf1 inspect vrf1-pmap Device(config-profile)# exit Device(config)# parameter-map type inspect pmap1 Device(config-profile)# tcp idle-time 3000 ageout-time 100 Device(config-profile)# tcp synwait-time 30 ageout-time 10 Device(config-profile)# exit Device(config)# policy-map type inspect ddos-fw Device(config-pmap)# class type inspect match-any ddos-class Device(config-pmap-c)# inspect pmap1 Device(config-profile)# end
Example: Configuring Firewall Event Rate Monitoring
Device> enable Device# configure terminal Device(config)# parameter-map type inspect zone zone-pmap1 Device(config-profile)# alert on Device(config-profile)# threat-detection basic-threat Device(config-profile)# threat-detection rate fw-drop average-time-frame 600 average-threshold 100 burst-threshold 100 Device(config-profile)# threat-detection rate inspect-drop average-time-frame 600 average-threshold 100 burst-threshold 100 Device(config-profile)# threat-detection rate syn-attack average-time-frame 600 average-threshold 100 burst-threshold 100 Device(config-profile)# exit Device(config)# zone security public Device(config-sec-zone)# protection zone-pmap1 Device(config-sec-zone)# exit Device(config)# zone-pair security private2public source private destination public Device(config-sec-zone-pair)# end
Example: Configuring the per-Box Half-Opened Session Limit
Device# configure terminal Device(config)# parameter-map type inspect global Device(config-profile)# alert on Device(config-profile)# per-box max-incomplete 12345 Device(config-profile)# session total 34500 Device(config-profile)# end
Example: Configuring the Half-Opened Session Limit for an Inspect VRF Parameter Map
Device# configure terminal Device(config)# parameter-map type inspect vrf vrf1-pmap Device(config-profile)# alert on Device(config-profile)# max-incomplete 3500 Device(config-profile)# session total 34500 Device(config-profile)# exit Device(config)# parameter-map type inspect global Device(config-profile)# alert on Device(config-profile)# vrf vrf1 inspect vrf1-pmap Device(config-profile)# end
Example: Configuring the Global TCP SYN Flood Limit
Device# configure terminal Device(config)# parameter-map type inspect global Device(config-profile)# alert on Device(config-profile)# per-box tcp syn-flood limit 500 Device(config-profile)# end
Additional References for Protection Against Distributed Denial of Service Attacks
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
Firewall resource management |
Configuring Firewall Resource Management feature |
Firewall TCP SYN cookie |
Configuring Firewall TCP SYN Cookie feature |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Protection Against Distributed Denial of Service Attacks
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Feature Name |
Releases |
Feature Information |
---|---|---|
Protection Against Distributed Denial of Service Attacks |
Cisco IOS XE Release 3.4S |
The Protection Against Distributed Denial of Service Attacks feature provides protection from DoS attacks at the per-box level (for all firewall sessions) and at the VRF level. You can configure the aggressive aging of firewall sessions, event rate monitoring of firewall sessions, the half-opened connections limit, and global TCP SYN cookie protection to prevent DDoS attacks. The following commands were introduced or modified: clear policy-firewall stats global, max-incomplete, max-incomplete aggressive-aging, per-box aggressive-aging, per-box max-incomplete, per-box max-incomplete aggressive-aging, per-box tcp syn-flood limit, session total, show policy-firewall stats global, show policy-firewall stats zone, threat-detection basic-threat, threat-detection rate, and udp half-open. |