RE: IP TCP Intercept question

From: scott mann (smann0762@xxxxxxxxxxx)
Date: Thu Apr 11 2002 - 01:59:32 GMT-3

   
The requirement is a hypothetical lab scenario, not a real-world example. I
need TCP Syn attack protection and an absolute timeout value on the
connection--for example 5 1/2 minutes. I think TCP intercept with Dynamic
access-list is only answer, but it seems like I shouldn't have to combine
two different method together to solve this scenario.

>From: Tarek Sabry <tsabry@houston.sns.slb.com>
>Reply-To: Tarek Sabry <tsabry@houston.sns.slb.com>
>To: "'Lupi, Guy'" <Guy.Lupi@eurekaggn.com>, "'ying chang '"
><ying_c@hotmail.com>, smann0762@hotmail.com, tsabry@slb.com,
>ccielab@groupstudy.com
>Subject: RE: IP TCP Intercept question
>Date: Wed, 10 Apr 2002 22:47:59 -0500
>
>I agree with Guy that CBAC should be used here. Now if the requirement is
>to
>disconnect after a persiod of time whether active or passive then that's a
>bit odd. Again, Guy has thrown is some creative ideas, but I'm not sure if
>they address your specific situation or not. My guess is that you just need
>to get rid of those idle session.
>
>You may want to either give us some more info.
>
>Tarek
>
>-----Original Message-----
>From: Lupi, Guy [mailto:Guy.Lupi@eurekaggn.com]
>Sent: Wednesday, April 10, 2002 8:09 PM
>To: 'ying chang '; 'smann0762@hotmail.com '; 'tsabry@houston.sns.slb.com
>'; 'tsabry@slb.com '; 'ccielab@groupstudy.com '
>Subject: RE: IP TCP Intercept question
>
>
>I think that based on the requirement CBAC may be a better answer here. I
>don't believe that you can specify a timeout on completed successful
>sessions with TCP intercept. With CBAC however, you do have the ability to
>use the "ip inspect tcp idle-time", the default is 3600 seconds, but you
>can
>lower it to whatever you want. This will cause the router to close a
>session that has been open and idle for the specified amount of time. This
>only specifies the time that a session is idle before it times out however,
>if the connection is active I don't believe that the timeout applies, it
>must be idle. You can also specify it on a per-rule basis. CBAC also has
>a
>DOS attack prevention method. If the requirement truly is to disconnect
>tcp
>sessions after a period of time, active or not, then you may have to use a
>dynamic access-list, but the user would have to telnet to the router to
>initiate the dynamic rule. How long is the absolute timeout supposed to
>be?
>You could use tcp intercept and an access list that references a time
>range.
>If the timeout was say an hour, you could do something like this. Based on
>the time range, sessions would last 59 minutes, be disconnected, and then
>be
>allowed again after a minute for another 59 minutes. This seems a little
>ridiculous, unless the absolute timeout is like 6 hours.
>
>
>access-list 101 permit tcp any any time-range blah
>!
>time-range blah
> periodic daily 0:01 to 1:00
> periodic daily 1:01 to 2:00
> periodic daily 2:01 to 3:00
> periodic daily 3:01 to 4:00
>
>
>
>
>
>-----Original Message-----
>From: ying chang
>To: smann0762@hotmail.com; tsabry@houston.sns.slb.com; tsabry@slb.com;
>ccielab@groupstudy.com
>Sent: 4/10/2002 7:21 PM
>Subject: RE: IP TCP Intercept question
>
>Can you let us know why you think you don't have the answer already? I'd
>do
>the samething based on my limited interpretation capability:
>
>ip tcp intercept list 101
>ip tcp intercept mode watch <--- send rst to drop half open connection
>if
>they don't make it in 30 secs
>
>...
>
>ip access-list 101 permit tcp 123.4.5.0 0.0.0.255 host 192.168.1.2 <---
>
>watch subnet 123.4.5.0 to server 192.168.1.2
>
>I don't think the tcp intercept options like max-incomplete high/low,
>one-minute high/low fit the bill here. I wouldn't use them unless they
>are
>specifically asked.
>
>Chang
>
>
>
> >From: "scott mann" <smann0762@hotmail.com>
> >Reply-To: "scott mann" <smann0762@hotmail.com>
> >To: tsabry@houston.sns.slb.com, tsabry@slb.com, ccielab@groupstudy.com
> >Subject: RE: IP TCP Intercept question
> >Date: Wed, 10 Apr 2002 15:12:44 -0700
> >
> >My requirement is to stop a TCP SYN attack from one subnet to a server
>on
> >another. This is why I choose to use TCP intercept. However, I am also
> >required to enforce an absolute timeout, but I don't know of any other
>way
> >besides using a Dynamic access-list, and mix the two together.
> >
> >Thanks for your help.
> >
> >
> >>From: Tarek Sabry <tsabry@houston.sns.slb.com>
> >>Reply-To: Tarek Sabry <tsabry@houston.sns.slb.com>
> >>To: "'scott mann'" <smann0762@hotmail.com>, tsabry@slb.com,
> >>ccielab@groupstudy.com
> >>Subject: RE: IP TCP Intercept question
> >>Date: Wed, 10 Apr 2002 15:27:23 -0500
> >>
> >>According to what I understand, this feature is for preventing DOS
>attacks
> >>created by floods of *unsuccessful" connections. I think you might
>need
> >>something else to achieve what you're looking for. Maybe someone can
> >>enlighten us about anything that can be done on the Cisco equipment to
> >>handle this.
> >>
> >>Sorry
> >>Tarek
> >>
> >>-----Original Message-----
> >>From: scott mann [mailto:smann0762@hotmail.com]
> >>Sent: Wednesday, April 10, 2002 3:08 PM
> >>To: tsabry@slb.com; ccielab@groupstudy.com
> >>Subject: RE: IP TCP Intercept question
> >>
> >>
> >>
> >>Yes, but I would like to timeout the connection even if the user DOES
> >>establish the connection...I want an absolute timeout.
> >>
> >>Thanks
> >>
> >>
> >> >From: Tarek Sabry <tsabry@houston.sns.slb.com>
> >> >Reply-To: tsabry@slb.com
> >> >To: 'scott mann' <smann0762@hotmail.com>, ccielab@groupstudy.com
> >> >Subject: RE: IP TCP Intercept question
> >> >Date: Wed, 10 Apr 2002 14:58:41 -0500
> >> >
> >> >Scott
> >> >
> >> >It seems that what you need is to set the "watch-timeout" and not
>the
> >> >"connection-timeout". The former is defined as the "time allowed to
> >>reach
> >> >established state". So if the user fails to establish the connection
> >>after
> >> >this timeout, the router send a reset to the server to drop the
> >>connection.
> >> >
> >> >So the right command (in my humble opinion) would be:
> >> >
> >> >"ip tcp intercept watch-timeout [seconds]"
> >> >
> >> >It sounds misleading to use the "watch" timeout when in "intercept"
> >>mode,
> >> >but that's what the documentation says!
> >> >
> >> >Let's hear from experts too ....
> >> >
> >> >Tarek
> >> >
> >> >
> >> >-----Original Message-----
> >> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
>Of
> >> >scott mann
> >> >Sent: Wednesday, April 10, 2002 2:24 PM
> >> >To: ccielab@groupstudy.com
> >> >Subject: IP TCP Intercept question
> >> >
> >> >
> >> >Can anyone tell me if using the below command will disconnect the
> >> >user/connection or simply cause the router to stop managing (keeping
> >>stats
> >> >or control of) the user/connection. I want to disconnect the
> >> >user/connection
> >> >after a specific timeout period irregardless of his
>authentication/TCP
> >> >status.
> >> >
> >> >"ip tcp intercept connection-timeout [seconds]"
> >> >
> >> >Below is the Cisco Link, but it is not specific.
> >> >
> >>
> >http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr
>/sec
> >>u
> >> >r_c/scprt3/scddenl.htm
> >> >
> >> >Thanks,
> >> >Lab in 2 days.
> >> >
> >> >

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:04 GMT-3