The counter for ip inspect oneminute low maintains sum of all TCP, UDP, and Internet Control Message Protocol ICMP connection attempts during the preceding minute of the routers operation, whether the connections have been successful or not.
If the DoS parameters are not adjusted to your networks normal behavior, normal network activity trigger the DoS protection mechanism, causing application failures, poor network performance, and high CPU utilization on the Cisco IOS Classic Firewall router. While the values are adjusted to very high levels, your network will not benefit from Cisco IOS Firewall or IPS DoS protection.
If your network is not infected with viruses or worms that could lead to erroneously large halfopen connection values and attempted connection rates. If you wish to leave DoS protection disabled, stop following this procedure For example Maxever session creation rate after rounding, thus, configure parametermap type inspect DoSparammap oneminute high Proceed to step if your router is running Cisco IOS Software Release 12. 411T or newer. Be sure your network is not infected with viruses or worms that could lead to erroneously large halfopen connection values and attempted connection rates.
For example tcppackets udppackets Laststatisticresetnever Thus, configure parametermap type inspect DoSparammap maxincomplete high oneminute high tcp maxincomplete host blocktime Apply the parametermap to every classmaps inspection action policymap type inspect z1z2pmap class type inspect mycmap inspect DoSparammap Note If your router is running Cisco IOS Software Release 12. 411T or newer. Monitor your networks DoS protection activity. This document provides procedures to tune Cisco IOS Firewall DoS protection values for both Classic and ZoneBased Cisco IOS Firewall.
You need to experiment with your calculated oneminute value to find the ideal multiplier, but as starting point, calculate the ip inspect oneminute high ip inspect tcp maxincomplete host value Routers configured to apply Cisco IOS VRFAware Firewall maintain one set of counters for each VRF. multiplier offers percent headroom above observed behavior. The router will send syslog message if logging is enabled, and if Intrusion Protection System IPS is configured on the router, an SDEE message will be sent to the monitoring station.
An example of one type of DoS attack detection. For example tcppackets udppackets Laststatisticresetnever Thus, configure parametermap type inspect DoSparammap oneminute high Proceed to step if your router is not Cisco IOS Software Release 12. 411T or newer, you will not see the maxever session creation rate statistic in your sh policymap type inspect zonepair output. For example Maxever session counts estabhalfopenterminating Thus, configure ip inspect oneminute low Calculate and configure ip inspect oneminute high.