From: scott mann (smann0762@xxxxxxxxxxx)
Date: Wed Apr 10 2002 - 19:12:44 GMT-3
My requirement is to stop a TCP SYN attack from one subnet to a server on
another. This is why I choose to use TCP intercept. However, I am also
required to enforce an absolute timeout, but I don't know of any other way
besides using a Dynamic access-list, and mix the two together.
Thanks for your help.
>From: Tarek Sabry <tsabry@houston.sns.slb.com>
>Reply-To: Tarek Sabry <tsabry@houston.sns.slb.com>
>To: "'scott mann'" <smann0762@hotmail.com>, tsabry@slb.com,
>ccielab@groupstudy.com
>Subject: RE: IP TCP Intercept question
>Date: Wed, 10 Apr 2002 15:27:23 -0500
>
>According to what I understand, this feature is for preventing DOS attacks
>created by floods of *unsuccessful" connections. I think you might need
>something else to achieve what you're looking for. Maybe someone can
>enlighten us about anything that can be done on the Cisco equipment to
>handle this.
>
>Sorry
>Tarek
>
>-----Original Message-----
>From: scott mann [mailto:smann0762@hotmail.com]
>Sent: Wednesday, April 10, 2002 3:08 PM
>To: tsabry@slb.com; ccielab@groupstudy.com
>Subject: RE: IP TCP Intercept question
>
>
>
>Yes, but I would like to timeout the connection even if the user DOES
>establish the connection...I want an absolute timeout.
>
>Thanks
>
>
> >From: Tarek Sabry <tsabry@houston.sns.slb.com>
> >Reply-To: tsabry@slb.com
> >To: 'scott mann' <smann0762@hotmail.com>, ccielab@groupstudy.com
> >Subject: RE: IP TCP Intercept question
> >Date: Wed, 10 Apr 2002 14:58:41 -0500
> >
> >Scott
> >
> >It seems that what you need is to set the "watch-timeout" and not the
> >"connection-timeout". The former is defined as the "time allowed to reach
> >established state". So if the user fails to establish the connection
>after
> >this timeout, the router send a reset to the server to drop the
>connection.
> >
> >So the right command (in my humble opinion) would be:
> >
> >"ip tcp intercept watch-timeout [seconds]"
> >
> >It sounds misleading to use the "watch" timeout when in "intercept" mode,
> >but that's what the documentation says!
> >
> >Let's hear from experts too ....
> >
> >Tarek
> >
> >
> >-----Original Message-----
> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> >scott mann
> >Sent: Wednesday, April 10, 2002 2:24 PM
> >To: ccielab@groupstudy.com
> >Subject: IP TCP Intercept question
> >
> >
> >Can anyone tell me if using the below command will disconnect the
> >user/connection or simply cause the router to stop managing (keeping
>stats
> >or control of) the user/connection. I want to disconnect the
> >user/connection
> >after a specific timeout period irregardless of his authentication/TCP
> >status.
> >
> >"ip tcp intercept connection-timeout [seconds]"
> >
> >Below is the Cisco Link, but it is not specific.
> >
> >http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/sec
>u
> >r_c/scprt3/scddenl.htm
> >
> >Thanks,
> >Lab in 2 days.
> >
> >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:04 GMT-3