From: cannonr (cannonr@attbi.com)
Date: Mon Apr 14 2003 - 09:36:55 GMT-3
If the specific goal is to block SYN floods, then use TCP intercept. In
your CBAC configuration, you would need an inbound ACL on int S0. This ACL
will usually permit ICMP and trace while blocking everything else. If you
only configure CBAC to inspect tcp, other IP protocols will not work. So if
your goal is to prevent SYN floods only, use TCP intercept. CBAC is much
more complicated so why use it if it isn't necessary.
HTH
----- Original Message -----
From: "wsqccie@hotnail.com" <wsqccie@hotmail.com>
To: <ccielab@groupstudy.com>
Sent: Sunday, April 13, 2003 6:50 AM
Subject: ip tcp interceot VS ip inspec tcp
> Hi, group
> IP Tcp intercept and ip inspect tcp both can protect server from
syn-flooding attack by a set of timer and threshold value.who can give a
detail comparation?
> BTW, a question ask that :Someone is attacking server in area 1,
configure R1 to disconnect TCP connection even that live above 2.5 minute.I
do below two ways, which is better ?
>
> A . ip tcp intercept list 101
> ip tcp intercept connection-timeout 150 --------I doubled about
the connection-timeout which is no not live 150s
> access-list 101 perit tcp any host x.x.x.x
>
> b. ip inspect tcp time-out 150
> ip inspect name test time-out 150
>
> int s0------>connet to area 1
> ip inspect test out
>
> Do I need acl for int s0?
>
> Regards!
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:52 GMT-3