Cisco Cisco Packet Data Interworking Function (PDIF) Prospecto
Crypto Template Configuration Mode Commands
▀ dos cookie-challenge notify-payload
▄ Cisco ASR 5x00 Command Line Interface Reference
2826
dos cookie-challenge notify-payload
Configure the cookie challenge parameters for IKEv2 INFO Exchange notify payloads for the given crypto template.
Product
All IPSec-related services
Privilege
Security Administrator
Syntax
dos cookie-challenge notify-payload [ half-open-sess-count { start integer | stop integer
} ]
} ]
[ default | no ] cookie-challenge detect-dos-attack
default
Default is to disabled condition.
no
Prevents Denial of Service cookie transmission. This is the default condition.
half-open-sess-count start
|
stop
The
half-open-sess-count
is the number of half-open sessions per IPSec manager.
A session is considered half-open if a PDIF has responded to an IKEv2 INIT Request with an IKEv2 INIT
Response, but no further message was received on that particular IKE SA.
Response, but no further message was received on that particular IKE SA.
start
: Starts when the current half-open-sess-count exceeds the start count. The start count is an
integer from 0 to 100000.
stop
: Stops when the current half-open-sess-count drops below the stop count. The stop count number
is an integer from 0 to 100000. It is always less than or equal to the start count number
Important:
The start count value 0 is a special case whereby this feature is always enabled. In this event, both
Start
and
Stop
must be 0.
Usage
This feature (which is disabled by default) helps prevent malicious Denial of Service attacks against the
server by sending a challenge cookie. If the response from the sender does not incorporate the expected
cookie data, the packets are dropped.
server by sending a challenge cookie. If the response from the sender does not incorporate the expected
cookie data, the packets are dropped.
Example
The following example configures the cookie challenge to begin when the half-open-sess-count reaches
50000
and stops when it drops below
20000
:
dos cookie-challenge notify-payload half-open-sess-count start 50000 stop
20000
20000