RE: Intercept Mode Intercept and Watch-Timeout

From: gladston@br.ibm.com
Date: Mon May 30 2005 - 10:41:48 GMT-3

• Next message: Brian McGahan: "RE: CCIE Written study material"
• Previous message: Matthew Seppeler: "RE: DB9 to RJ45 on a MARC router card (Mobile Access Router)"
• Maybe in reply to: gladston@br.ibm.com: "Intercept Mode Intercept and Watch-Timeout"
• Next in thread: gladston@br.ibm.com: "RE: Intercept Mode Intercept and Watch-Timeout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

It seems the answer is here: (and if this is correct, one of those books
are wrong about it)

Deal's book

=================
quoted

During a time of attack....For intercept mode, the router reduces the
initial retransmission timeout for SYN segments by half. For watch mode,
the router reduces the watch time automatically to half of the configured
value (if you are using the default of 30 seconds, it becomes 15 seconds)

Cisco says the same:

==================
quoted
The initial retransmission timeout is reduced by half to 0.5 seconds, and
so the total time trying to establish the connection is cut in half. (When
not in aggressive mode, the code does exponential back-off on its
retransmissions of SYN segments. The initial retransmission timeout is 1
second. The subsequent timeouts are 2 seconds, 4 seconds, 8 seconds, and
16 seconds. The code retransmits 4 times before giving up, so it gives up
after 31 seconds of no acknowledgment.)
If in watch mode, the watch timeout is reduced by half. (If the default is
in place, the watch timeout becomes 15 seconds.)
==================

So, my conclusion is:

--Intercept mode

IOS takes the command 'ip tcp intercept watch-timeout ' but it is not
used.

When IOS receives a SYN packets, it answers on behalf of the server and
wait for an ACK from the attacker. IOS will wait 1 second and retransmit
the second packet of the Three-way handshake, waiting for the ACK. IOS
will retransmit the SYN-ACK again after 2 seconds, 4 seconds, 8 seconds
and 16 seconds, waiting for the host ACK. This give us a total of 31
seconds waiting for the attacker answer. There is no answer, because this
is an attack, so IOS gives up after 31 seconds.

If in aggressive state, IOS will wait only 31/2 seconds.

There is no command to change this time.

--Watch mode

The default time IOS considers to complete a connection is 30 seconds.

It can be changed with the command 'ip tcp intercept watch-timeout '.

If IOS does not 'see' the three-way handshake completed after 30 seconds,
it sends a reset to the attacker.

In aggressive state, IOS will wait 30/2 (or whatever was configured with
'ip tcp intercept watch-timeout ' divided by 2)

What you agree?

Cordially
------------------------------------------------------------------
Alaerte Gladston Vidali
IBM Global Services - SO
Tel.55+11+2121-2879 Fax:55+11+2121-2449

Gajewski Mariusz - TP POLPAK <Mariusz.Gajewski@telekomunikacja.pl>
30/05/2005 04:24

To
Alaerte Gladston Vidali/Brazil/IBM@IBMBR, ccielab@groupstudy.com
cc

Subject
RE: Intercept Mode Intercept and Watch-Timeout

Hi,
I will add third one ;)
Cisco Press : Cisco Router Firewall Security : "The ip tcp intercept
watch-timeout command specifies the maximum length of time that the router
will wait, in watch mode, for a TCP connection to complete the three-way
handshake. This value defaults to 30 seconds. If the connection is not
reached in this time period, the router sends a reset to the server
(destination)"

HTH
Mariusz

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
gladston@br.ibm.com
Sent: Monday, May 30, 2005 3:29 AM
To: ccielab@groupstudy.com
Subject: Intercept Mode Intercept and Watch-Timeout

Hi,

Trying to understand if whatch-timeout is aplicable intercept mode and/or
whatch mode.

One book says it should be used for watch mode and other book uses it for
intercept mode.

What do you think?

==================
quoted
If Intercept is configured to run in watch mode, configure the amount of
time it will wait for a watched connection to an established state before
terminating the connection. Use this command to do so:

ip tcp intercept watch-timeout <seconds>

Cisco Network Security Little Black Book
===================

This book shows an example where whatch-timeou is configured for intercept
mode:

===================
quoted
ip tcp intercept watch-timeout 20
!Sets the time in seconds (20) for a partially opened connection to
complete
!the connection sequence before sending a reset command to the local host.

Cisco. Secure Internet Security Solutions
===================

• Next message: Brian McGahan: "RE: CCIE Written study material"
• Previous message: Matthew Seppeler: "RE: DB9 to RJ45 on a MARC router card (Mobile Access Router)"
• Maybe in reply to: gladston@br.ibm.com: "Intercept Mode Intercept and Watch-Timeout"
• Next in thread: gladston@br.ibm.com: "RE: Intercept Mode Intercept and Watch-Timeout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:03 GMT-3