From: ying chang (ying_c@xxxxxxxxxxx)
Date: Wed Apr 10 2002 - 20:21:16 GMT-3
Can you let us know why you think you don't have the answer already? I'd do
the samething based on my limited interpretation capability:
ip tcp intercept list 101
ip tcp intercept mode watch <--- send rst to drop half open connection if
they don't make it in 30 secs
...
ip access-list 101 permit tcp 123.4.5.0 0.0.0.255 host 192.168.1.2 <---
watch subnet 123.4.5.0 to server 192.168.1.2
I don't think the tcp intercept options like max-incomplete high/low,
one-minute high/low fit the bill here. I wouldn't use them unless they are
specifically asked.
Chang
>From: "scott mann" <smann0762@hotmail.com>
>Reply-To: "scott mann" <smann0762@hotmail.com>
>To: tsabry@houston.sns.slb.com, tsabry@slb.com, ccielab@groupstudy.com
>Subject: RE: IP TCP Intercept question
>Date: Wed, 10 Apr 2002 15:12:44 -0700
>
>My requirement is to stop a TCP SYN attack from one subnet to a server on
>another. This is why I choose to use TCP intercept. However, I am also
>required to enforce an absolute timeout, but I don't know of any other way
>besides using a Dynamic access-list, and mix the two together.
>
>Thanks for your help.
>
>
>>From: Tarek Sabry <tsabry@houston.sns.slb.com>
>>Reply-To: Tarek Sabry <tsabry@houston.sns.slb.com>
>>To: "'scott mann'" <smann0762@hotmail.com>, tsabry@slb.com,
>>ccielab@groupstudy.com
>>Subject: RE: IP TCP Intercept question
>>Date: Wed, 10 Apr 2002 15:27:23 -0500
>>
>>According to what I understand, this feature is for preventing DOS attacks
>>created by floods of *unsuccessful" connections. I think you might need
>>something else to achieve what you're looking for. Maybe someone can
>>enlighten us about anything that can be done on the Cisco equipment to
>>handle this.
>>
>>Sorry
>>Tarek
>>
>>-----Original Message-----
>>From: scott mann [mailto:smann0762@hotmail.com]
>>Sent: Wednesday, April 10, 2002 3:08 PM
>>To: tsabry@slb.com; ccielab@groupstudy.com
>>Subject: RE: IP TCP Intercept question
>>
>>
>>
>>Yes, but I would like to timeout the connection even if the user DOES
>>establish the connection...I want an absolute timeout.
>>
>>Thanks
>>
>>
>> >From: Tarek Sabry <tsabry@houston.sns.slb.com>
>> >Reply-To: tsabry@slb.com
>> >To: 'scott mann' <smann0762@hotmail.com>, ccielab@groupstudy.com
>> >Subject: RE: IP TCP Intercept question
>> >Date: Wed, 10 Apr 2002 14:58:41 -0500
>> >
>> >Scott
>> >
>> >It seems that what you need is to set the "watch-timeout" and not the
>> >"connection-timeout". The former is defined as the "time allowed to
>>reach
>> >established state". So if the user fails to establish the connection
>>after
>> >this timeout, the router send a reset to the server to drop the
>>connection.
>> >
>> >So the right command (in my humble opinion) would be:
>> >
>> >"ip tcp intercept watch-timeout [seconds]"
>> >
>> >It sounds misleading to use the "watch" timeout when in "intercept"
>>mode,
>> >but that's what the documentation says!
>> >
>> >Let's hear from experts too ....
>> >
>> >Tarek
>> >
>> >
>> >-----Original Message-----
>> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>> >scott mann
>> >Sent: Wednesday, April 10, 2002 2:24 PM
>> >To: ccielab@groupstudy.com
>> >Subject: IP TCP Intercept question
>> >
>> >
>> >Can anyone tell me if using the below command will disconnect the
>> >user/connection or simply cause the router to stop managing (keeping
>>stats
>> >or control of) the user/connection. I want to disconnect the
>> >user/connection
>> >after a specific timeout period irregardless of his authentication/TCP
>> >status.
>> >
>> >"ip tcp intercept connection-timeout [seconds]"
>> >
>> >Below is the Cisco Link, but it is not specific.
>> >
>> >http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/sec
>>u
>> >r_c/scprt3/scddenl.htm
>> >
>> >Thanks,
>> >Lab in 2 days.
>> >
>> >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:04 GMT-3