From: Jason Sinclair (sinclairj@xxxxxxxxxxxxxxx)
Date: Thu Apr 11 2002 - 02:32:48 GMT-3
All,
Use the connection-timeout option and lab it up. See if it disconnects your
session after the specified time. If it does you have your answer. The try
the watch-timeout and see what happens. This is the best way to learn this
stuff by seeing what happens when you do it. In this case you only need one
router and a couple of PC's to test.
Cheers,
Jason Sinclair CCIE #9100
Manager, Network Support Group
POWERTEL
Ground Level, 55 Clarence Street,
SYDNEY NSW 2000
AUSTRALIA
office: + 61 2 8264 3820
mobile: + 61 416 105 858
* sinclairj@powertel.com.au
-----Original Message-----
From: scott mann [mailto:smann0762@hotmail.com]
Sent: Thursday, 11 April 2002 15:00
To: tsabry@houston.sns.slb.com; Guy.Lupi@eurekaggn.com;
ying_c@hotmail.com; tsabry@slb.com; ccielab@groupstudy.com
Subject: RE: IP TCP Intercept question
The requirement is a hypothetical lab scenario, not a
real-world example. I
need TCP Syn attack protection and an absolute timeout value
on the
connection--for example 5 1/2 minutes. I think TCP intercept
with Dynamic
access-list is only answer, but it seems like I shouldn't
have to combine
two different method together to solve this scenario.
>From: Tarek Sabry <tsabry@houston.sns.slb.com>
>Reply-To: Tarek Sabry <tsabry@houston.sns.slb.com>
>To: "'Lupi, Guy'" <Guy.Lupi@eurekaggn.com>, "'ying
chang '"
><ying_c@hotmail.com>, smann0762@hotmail.com,
tsabry@slb.com,
>ccielab@groupstudy.com
>Subject: RE: IP TCP Intercept question
>Date: Wed, 10 Apr 2002 22:47:59 -0500
>
>I agree with Guy that CBAC should be used here. Now if the
requirement is
>to
>disconnect after a persiod of time whether active or
passive then that's a
>bit odd. Again, Guy has thrown is some creative ideas, but
I'm not sure if
>they address your specific situation or not. My guess is
that you just need
>to get rid of those idle session.
>
>You may want to either give us some more info.
>
>Tarek
>
>-----Original Message-----
>From: Lupi, Guy [mailto:Guy.Lupi@eurekaggn.com]
>Sent: Wednesday, April 10, 2002 8:09 PM
>To: 'ying chang '; 'smann0762@hotmail.com ';
'tsabry@houston.sns.slb.com
>'; 'tsabry@slb.com '; 'ccielab@groupstudy.com '
>Subject: RE: IP TCP Intercept question
>
>
>I think that based on the requirement CBAC may be a better
answer here. I
>don't believe that you can specify a timeout on completed
successful
>sessions with TCP intercept. With CBAC however, you do
have the ability to
>use the "ip inspect tcp idle-time", the default is 3600
seconds, but you
>can
>lower it to whatever you want. This will cause the router
to close a
>session that has been open and idle for the specified
amount of time. This
>only specifies the time that a session is idle before it
times out however,
>if the connection is active I don't believe that the
timeout applies, it
>must be idle. You can also specify it on a per-rule basis.
CBAC also has
>a
>DOS attack prevention method. If the requirement truly is
to disconnect
>tcp
>sessions after a period of time, active or not, then you
may have to use a
>dynamic access-list, but the user would have to telnet to
the router to
>initiate the dynamic rule. How long is the absolute
timeout supposed to
>be?
>You could use tcp intercept and an access list that
references a time
>range.
>If the timeout was say an hour, you could do something like
this. Based on
>the time range, sessions would last 59 minutes, be
disconnected, and then
>be
>allowed again after a minute for another 59 minutes. This
seems a little
>ridiculous, unless the absolute timeout is like 6 hours.
>
>
>access-list 101 permit tcp any any time-range blah
>!
>time-range blah
> periodic daily 0:01 to 1:00
> periodic daily 1:01 to 2:00
> periodic daily 2:01 to 3:00
> periodic daily 3:01 to 4:00
>
>
>
>
>
>-----Original Message-----
>From: ying chang
>To: smann0762@hotmail.com; tsabry@houston.sns.slb.com;
tsabry@slb.com;
>ccielab@groupstudy.com
>Sent: 4/10/2002 7:21 PM
>Subject: RE: IP TCP Intercept question
>
>Can you let us know why you think you don't have the answer
already? I'd
>do
>the samething based on my limited interpretation
capability:
>
>ip tcp intercept list 101
>ip tcp intercept mode watch <--- send rst to drop half open
connection
>if
>they don't make it in 30 secs
>
>...
>
>ip access-list 101 permit tcp 123.4.5.0 0.0.0.255 host
192.168.1.2 <---
>
>watch subnet 123.4.5.0 to server 192.168.1.2
>
>I don't think the tcp intercept options like max-incomplete
high/low,
>one-minute high/low fit the bill here. I wouldn't use them
unless they
>are
>specifically asked.
>
>Chang
>
>
>
> >From: "scott mann" <smann0762@hotmail.com>
> >Reply-To: "scott mann" <smann0762@hotmail.com>
> >To: tsabry@houston.sns.slb.com, tsabry@slb.com,
ccielab@groupstudy.com
> >Subject: RE: IP TCP Intercept question
> >Date: Wed, 10 Apr 2002 15:12:44 -0700
> >
> >My requirement is to stop a TCP SYN attack from one
subnet to a server
>on
> >another. This is why I choose to use TCP intercept.
However, I am also
> >required to enforce an absolute timeout, but I don't know
of any other
>way
> >besides using a Dynamic access-list, and mix the two
together.
> >
> >Thanks for your help.
> >
> >
> >>From: Tarek Sabry <tsabry@houston.sns.slb.com>
> >>Reply-To: Tarek Sabry <tsabry@houston.sns.slb.com>
> >>To: "'scott mann'" <smann0762@hotmail.com>,
tsabry@slb.com,
> >>ccielab@groupstudy.com
> >>Subject: RE: IP TCP Intercept question
> >>Date: Wed, 10 Apr 2002 15:27:23 -0500
> >>
> >>According to what I understand, this feature is for
preventing DOS
>attacks
> >>created by floods of *unsuccessful" connections. I think
you might
>need
> >>something else to achieve what you're looking for. Maybe
someone can
> >>enlighten us about anything that can be done on the
Cisco equipment to
> >>handle this.
> >>
> >>Sorry
> >>Tarek
> >>
> >>-----Original Message-----
> >>From: scott mann [mailto:smann0762@hotmail.com]
> >>Sent: Wednesday, April 10, 2002 3:08 PM
> >>To: tsabry@slb.com; ccielab@groupstudy.com
> >>Subject: RE: IP TCP Intercept question
> >>
> >>
> >>
> >>Yes, but I would like to timeout the connection even if
the user DOES
> >>establish the connection...I want an absolute timeout.
> >>
> >>Thanks
> >>
> >>
> >> >From: Tarek Sabry <tsabry@houston.sns.slb.com>
> >> >Reply-To: tsabry@slb.com
> >> >To: 'scott mann' <smann0762@hotmail.com>,
ccielab@groupstudy.com
> >> >Subject: RE: IP TCP Intercept question
> >> >Date: Wed, 10 Apr 2002 14:58:41 -0500
> >> >
> >> >Scott
> >> >
> >> >It seems that what you need is to set the
"watch-timeout" and not
>the
> >> >"connection-timeout". The former is defined as the
"time allowed to
> >>reach
> >> >established state". So if the user fails to establish
the connection
> >>after
> >> >this timeout, the router send a reset to the server to
drop the
> >>connection.
> >> >
> >> >So the right command (in my humble opinion) would be:
> >> >
> >> >"ip tcp intercept watch-timeout [seconds]"
> >> >
> >> >It sounds misleading to use the "watch" timeout when
in "intercept"
> >>mode,
> >> >but that's what the documentation says!
> >> >
> >> >Let's hear from experts too ....
> >> >
> >> >Tarek
> >> >
> >> >
> >> >-----Original Message-----
> >> >From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com]On Behalf
>Of
> >> >scott mann
> >> >Sent: Wednesday, April 10, 2002 2:24 PM
> >> >To: ccielab@groupstudy.com
> >> >Subject: IP TCP Intercept question
> >> >
> >> >
> >> >Can anyone tell me if using the below command will
disconnect the
> >> >user/connection or simply cause the router to stop
managing (keeping
> >>stats
> >> >or control of) the user/connection. I want to
disconnect the
> >> >user/connection
> >> >after a specific timeout period irregardless of his
>authentication/TCP
> >> >status.
> >> >
> >> >"ip tcp intercept connection-timeout [seconds]"
> >> >
> >> >Below is the Cisco Link, but it is not specific.
> >> >
> >>
>
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr
>/sec
> >>u
> >> >r_c/scprt3/scddenl.htm
> >> >
> >> >Thanks,
> >> >Lab in 2 days.
> >> >
> >> >
> >>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:05 GMT-3