Cisco Cisco Packet Data Gateway (PDG)
dos cookie-challenge notify-payload
Configure the cookie challenge parameters for IKEv2 INFO Exchange notify payloads for the given crypto
template.
template.
Product
All IPSec-related services
Privilege
Security Administrator
Syntax Description
dos cookie-challenge notify-payload [ half-open-sess-count start integer stop integer]
[ default | no ] cookie-challenge detect-dos-attack
[ default | no ] cookie-challenge detect-dos-attack
default
Default is to disabled condition.
no
Prevents Denial of Service cookie transmission. This is the default condition.
half-open-sess-count start integer stop integer
The half-open-sess-count is the number of half-open sessions per IPSec manager.
A session is considered half-open if a PDIF has responded to an IKEv2 INIT Request with an IKEv2 INIT
Response, but no further message was received on that particular IKE SA.
Response, but no further message was received on that particular IKE SA.
• start integer: Starts when the current half-open-sess-count exceeds the start count. The start count is an
integer from 0 to 100000.
• stop integer: Stops when the current half-open-sess-count drops below the stop count. The stop count
number is an integer from 0 to 100000. It is always less than or equal to the start count number
The start count value 0 is a special case whereby this feature is always enabled. In this event, both start
and stop must be 0.
and stop must be 0.
Important
Usage Guidelines
This feature (which is disabled by default) helps prevent malicious Denial of Service attacks against the server
by sending a challenge cookie. If the response from the sender does not incorporate the expected cookie data,
the packets are dropped.
by sending a challenge cookie. If the response from the sender does not incorporate the expected cookie data,
the packets are dropped.
Command Line Interface Reference, Modes C - D, StarOS Release 19
1243
Crypto Template Configuration Mode Commands
dos cookie-challenge notify-payload