Anantha, That's true for max-incomplete and one-minute CBAC commands. Those commands work for TCP, UDP and even for ICMP. However, the "tcp max-incomplete" works only for TCP. Why? This is because the host-specific defense is mainly to protect the router from handling attacks coming from a higher speed link. It stops new connections to the host (server) when the half-open connection limit has reached. Note that it works differently than "max-incomplete" since new connections to the server are not possible for a time specified by this command after limit has crossed. The reason for that is closely connected with how router works. In normal operations the connections uses Fast Path (CEF switching) so that there is no performance impact on the router's CPU. However, in case of router FW, every connection must be handled by CPU to enable stateful firewall behavior. In case of DoS attack from the higher speed interface, the number of connections can be so huge that the performance impact can be significant. That's why developers decided to introduce time limit in that command. This was mainly developed for that reasons, and that's why only TCP is supported.
Regards, Piotr 2011/1/25 Anantha Subramanian Natarajan <[email protected]> > Hi Piotr, > > Thanks for your clarification.Seems Cisco IOS firewall consider UDP > half-open sessions as any UDP communication which is unidirectional.Is that > not right ..I was reading on the command reference on what cisco IOS > firewall treats it as UDP half open session. > > Kindly correct me. > > Thanks > > Regards > Anantha Subramanian Natarajan > > > On Tue, Jan 25, 2011 at 11:48 AM, Piotr Matusiak <[email protected]> wrote: > >> Anantha, >> >> UDP is connectionless so not half-open connections exist. >> >> Regards, >> Piotr >> >> 2011/1/25 Anantha Subramanian Natarajan <[email protected]> >> >>> Hi All, >>> >>> I was going through the Cisco IOS Firewall Feature(CBAC) and understood >>> that,there is a global command "ip inspect tcp max-incomplete host value" to >>> delete half-open sessions,whenever the number of half-open sessions to the >>> specified destination host address rises above a threshold.Am trying to >>> understand a similar command exist for UDP,if not ,any specific technical >>> reason ,why this command wouldn't be possible for UDP. >>> >>> Thanks for the great help >>> >>> Regards >>> Anantha Subramanian Natarajan >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
