From: gladston@br.ibm.com
Date: Mon May 30 2005 - 13:32:45 GMT-3
Hi,
Debug confirms DOC CD and Deal's book statement:
-First, Intercept mode is configured. It takes 30 seconds to send a reset
-Then, watch-timeout is configured to 1 second. It has no effect.
-Then, intercept mode is changed to watch. After 1 seconds IOS sends a
reset.
-Then, watch-timeout is configured back to default. IOS takes 30 seconds
to send a reset.
-Then, debug with Intercept mode, during aggressive state. It is possible
to see here the reduction of initial retransmission timeout (total time
trying to establish the connection is cut in half), and deletion of oldest
half-open connections. The time is 21:01:26
-Then, debug with Watch mode under aggressive state. Here it is possible
to see that the watch-timeout was cut by half, besides dropping
connections. It is on time 22:37:33.
r4#sh run | i intercept
ip tcp intercept list 121
ip tcp intercept max-incomplete low 1
ip tcp intercept max-incomplete high 2
r4#
*Mar 10 20:34:11.605: INTERCEPT: new connection (172.16.34.3:11727 SYN ->
172.16.48.8:23)
*Mar 10 20:34:11.617: INTERCEPT(*): (172.16.34.3:11727 <- ACK+SYN
172.16.48.8:23)
r4#
*Mar 10 20:34:12.613: INTERCEPT(*): SYNRCVD retransmit 1
(172.16.34.3:11727 <- ACK+SYN 172.16.48.8:23)
r4#
*Mar 10 20:34:14.613: INTERCEPT(*): SYNRCVD retransmit 2
(172.16.34.3:11727 <- ACK+SYN 172.16.48.8:23)
r4#
*Mar 10 20:34:18.613: INTERCEPT(*): SYNRCVD retransmit 3
(172.16.34.3:11727 <- ACK+SYN 172.16.48.8:23)
r4#
*Mar 10 20:34:26.613: INTERCEPT(*): SYNRCVD retransmit 4
(172.16.34.3:11727 <- ACK+SYN 172.16.48.8:23)
*Mar 10 20:34:42.613: INTERCEPT: SYNRCVD retransmitting too long
(172.16.34.3:11727 <-> 172.16.48.8:23)
*Mar 10 20:34:42.617: INTERCEPT(*): (172.16.34.3:11727 <- RST
172.16.48.8:23)
r4(config)#ip tcp intercept watch-timeout 1
*Mar 10 20:36:44.721: INTERCEPT: new connection (172.16.34.3:11728 SYN ->
172.16.48.8:23)
*Mar 10 20:36:44.729: INTERCEPT(*): (172.16.34.3:11728 <- ACK+SYN
172.16.48.8:23)
r4#
*Mar 10 20:36:45.729: INTERCEPT(*): SYNRCVD retransmit 1
(172.16.34.3:11728 <- ACK+SYN 172.16.48.8:23)
r4#
*Mar 10 20:36:47.729: INTERCEPT(*): SYNRCVD retransmit 2
(172.16.34.3:11728 <- ACK+SYN 172.16.48.8:23)
r4#
*Mar 10 20:36:51.729: INTERCEPT(*): SYNRCVD retransmit 3
(172.16.34.3:11728 <- ACK+SYN 172.16.48.8:23)
r4#
*Mar 10 20:36:59.733: INTERCEPT(*): SYNRCVD retransmit 4
(172.16.34.3:11728 <- ACK+SYN 172.16.48.8:23)
r4#
*Mar 10 20:37:15.729: INTERCEPT: SYNRCVD retransmitting too long
(172.16.34.3:11728 <-> 172.16.48.8:23)
*Mar 10 20:37:15.733: INTERCEPT(*): (172.16.34.3:11728 <- RST
172.16.48.8:23)
r4#
r4(config)#ip tc intercept mode watch
*Mar 10 20:38:30.333: INTERCEPT: new connection (172.16.34.3:11729 SYN ->
172.16.48.8:23)
*Mar 10 20:38:30.341: INTERCEPT: (172.16.34.3:11729 <- ACK+SYN
172.16.48.8:23)
*Mar 10 20:38:31.333: INTERCEPT: SYNRCVD timing out (172.16.34.3:11729 <->
172.16.48.8:23)
*Mar 10 20:38:31.337: INTERCEPT(*): (172.16.34.3:11729 RST ->
172.16.48.8:23)
r4#
*Mar 10 20:38:32.333: INTERCEPT: new connection (172.16.34.3:11729 SYN ->
172.16.48.8:23)
*Mar 10 20:38:32.341: INTERCEPT: (172.16.34.3:11729 <- ACK+SYN
172.16.48.8:23)
r4#
*Mar 10 20:38:33.337: INTERCEPT: SYNRCVD timing out (172.16.34.3:11729 <->
172.16.48.8:23)
*Mar 10 20:38:33.341: INTERCEPT(*): (172.16.34.3:11729 RST ->
172.16.48.8:23)
r4#
*Mar 10 20:38:36.333: INTERCEPT: new connection (172.16.34.3:11729 SYN ->
172.16.48.8:23)
*Mar 10 20:38:36.341: INTERCEPT: (172.16.34.3:11729 <- ACK+SYN
172.16.48.8:23)
r4#
*Mar 10 20:38:37.337: INTERCEPT: SYNRCVD timing out (172.16.34.3:11729 <->
172.16.48.8:23)
*Mar 10 20:38:37.341: INTERCEPT(*): (172.16.34.3:11729 RST ->
172.16.48.8:23)
r4#
r4(config)#ip tcp intercept watch-timeout 30
r4#
*Mar 10 20:39:41.169: INTERCEPT: new connection (172.16.34.3:11730 SYN ->
172.16.48.8:23)
*Mar 10 20:39:41.177: INTERCEPT: (172.16.34.3:11730 <- ACK+SYN
172.16.48.8:23)
r4#
*Mar 10 20:39:43.173: INTERCEPT: server packet passed in SYNRCVD
(172.16.34.3:11730 <- 172.16.48.8:23)
r4#
*Mar 10 20:39:47.173: INTERCEPT: server packet passed in SYNRCVD
(172.16.34.3:11730 <- 172.16.48.8:23)
*Mar 10 20:40:11.213: INTERCEPT: SYNRCVD timing out (172.16.34.3:11730 <->
172.16.48.8:23)
*Mar 10 20:40:11.217: INTERCEPT(*): (172.16.34.3:11730 RST ->
172.16.48.8:23)
r4#
----Intercept mode in aggressive status:
Mar 10 21:01:12.281: INTERCEPT: new connection (172.16.34.3:46083 SYN ->
172.16.48.8:23)
*Mar 10 21:01:12.293: INTERCEPT(*): (172.16.34.3:46083 <- ACK+SYN
172.16.48.8:23)
r4#
*Mar 10 21:01:13.289: INTERCEPT(*): SYNRCVD retransmit 1
(172.16.34.3:46083 <- ACK+SYN 172.16.
48.8:23)
r4#
*Mar 10 21:01:14.445: INTERCEPT: new connection (172.16.34.3:11739 SYN ->
172.16.48.8:23)
*Mar 10 21:01:14.453: INTERCEPT(*): (172.16.34.3:11739 <- ACK+SYN
172.16.48.8:23)
*Mar 10 21:01:15.289: INTERCEPT(*): SYNRCVD retransmit 2
(172.16.34.3:46083 <- ACK+SYN 172.16.
48.8:23)
r4#
*Mar 10 21:01:15.453: INTERCEPT(*): SYNRCVD retransmit 1
(172.16.34.3:11739 <- ACK+SYN 172.16.
48.8:23)
*Mar 10 21:01:16.641: %TCP-6-INTERCEPT: getting aggressive, count (2/2) 1
min 0
r4#
*Mar 10 21:01:16.645: INTERCEPT: Possible attack! Aborting half-open
connection SYNRCVD (172.1
6.34.3:46083 <-> 172.16.48.8:23)
*Mar 10 21:01:16.653: INTERCEPT(*): (172.16.34.3:46083 <- RST
172.16.48.8:23)
*Mar 10 21:01:16.657: INTERCEPT: new connection (172.16.34.3:47106 SYN ->
172.16.48.8:23)
*Mar 10 21:01:16.665: INTERCEPT(*): (172.16.34.3:47106 <- ACK+SYN
172.16.48.8:23)
*Mar 10 21:01:17.165: INTERCEPT(*): SYNRCVD retransmit 1
(172.16.34.3:47106 <- ACK+SYN 172.16.
48.8:23)
*Mar 10 21:01:17.453: INTERCEPT(*): SYNRCVD retransmit 2
(172.16.34.3:11739 <- ACK+SYN 172.16.
48.8:23)
r4#
*Mar 10 21:01:18.165: INTERCEPT(*): SYNRCVD retransmit 2
(172.16.34.3:47106 <- ACK+SYN 172.16.
48.8:23)
*Mar 10 21:01:18.453: INTERCEPT: Possible attack! Aborting half-open
connection SYNRCVD (172.1
6.34.3:11739 <-> 172.16.48.8:23)
*Mar 10 21:01:18.461: INTERCEPT(*): (172.16.34.3:11739 <- RST
172.16.48.8:23)
*Mar 10 21:01:18.465: INTERCEPT: new connection (172.16.34.3:46083 SYN ->
172.16.48.8:23)
*Mar 10 21:01:18.473: INTERCEPT(*): (172.16.34.3:46083 <- ACK+SYN
172.16.48.8:23)
*Mar 10 21:01:18.973: INTERCEPT(*): SYNRCVD retransmit 1
(172.16.34.3:46083 <- ACK+SYN 172.16.
48.8:23)
r4#
*Mar 10 21:01:19.973: INTERCEPT(*): SYNRCVD retransmit 2
(172.16.34.3:46083 <- ACK+SYN 172.16.
48.8:23)
*Mar 10 21:01:20.165: INTERCEPT(*): SYNRCVD retransmit 3
(172.16.34.3:47106 <- ACK+SYN 172.16.
48.8:23)
*Mar 10 21:01:20.605: INTERCEPT: Possible attack! Aborting half-open
connection SYNRCVD (172.1
6.34.3:47106 <-> 172.16.48.8:23)
*Mar 10 21:01:20.609: INTERCEPT(*): (172.16.34.3:47106 <- RST
172.16.48.8:23)
*Mar 10 21:01:20.613: INTERCEPT: new connection (172.16.34.3:11739 SYN ->
172.16.48.8:23)
*Mar 10 21:01:20.625: INTERCEPT(*): (172.16.34.3:11739 <- ACK+SYN
172.16.48.8:23)
r4#
*Mar 10 21:01:21.121: INTERCEPT(*): SYNRCVD retransmit 1
(172.16.34.3:11739 <- ACK+SYN 172.16.
48.8:23)
*Mar 10 21:01:21.989: INTERCEPT(*): SYNRCVD retransmit 3
(172.16.34.3:46083 <- ACK+SYN 172.16.
48.8:23)
*Mar 10 21:01:22.121: INTERCEPT(*): SYNRCVD retransmit 2
(172.16.34.3:11739 <- ACK+SYN 172.16.
48.8:23)
r4#
*Mar 10 21:01:22.653: INTERCEPT: Possible attack! Aborting half-open
connection SYNRCVD (172.1
6.34.3:46083 <-> 172.16.48.8:23)
*Mar 10 21:01:22.661: INTERCEPT(*): (172.16.34.3:46083 <- RST
172.16.48.8:23)
*Mar 10 21:01:22.665: INTERCEPT: new connection (172.16.34.3:47106 SYN ->
172.16.48.8:23)
*Mar 10 21:01:22.673: INTERCEPT(*): (172.16.34.3:47106 <- ACK+SYN
172.16.48.8:23)
*Mar 10 21:01:23.173: INTERCEPT(*): SYNRCVD retransmit 1
(172.16.34.3:47106 <- ACK+SYN 172.16.
48.8:23)
r4#
*Mar 10 21:01:24.121: INTERCEPT(*): SYNRCVD retransmit 3
(172.16.34.3:11739 <- ACK+SYN 172.16.
48.8:23)
*Mar 10 21:01:24.173: INTERCEPT(*): SYNRCVD retransmit 2
(172.16.34.3:47106 <- ACK+SYN 172.16.
48.8:23)
r4#
*Mar 10 21:01:26.173: INTERCEPT(*): SYNRCVD retransmit 3
(172.16.34.3:47106 <- ACK+SYN 172.16.
48.8:23)
*Mar 10 21:01:26.453: INTERCEPT: Possible attack! Aborting half-open
connection SYNRCVD (172.1
6.34.3:11739 <-> 172.16.48.8:23)
*Mar 10 21:01:26.461: INTERCEPT(*): (172.16.34.3:11739 <- RST
172.16.48.8:23)
*Mar 10 21:01:26.465: INTERCEPT: new connection (172.16.34.3:46083 SYN ->
172.16.48.8:23)
*Mar 10 21:01:26.473: INTERCEPT(*): (172.16.34.3:46083 <- ACK+SYN
172.16.48.8:23)
*Mar 10 21:01:26.973: INTERCEPT(*): SYNRCVD retransmit 1
(172.16.34.3:46083 <- ACK+SYN 172.16.
48.8:23)
r4#
*Mar 10 21:01:27.973: INTERCEPT(*): SYNRCVD retransmit 2
(172.16.34.3:46083 <- ACK+SYN 172.16.
48.8:23)
*Mar 10 21:01:28.605: INTERCEPT: Possible attack! Aborting half-open
connection SYNRCVD (172.1
6.34.3:47106 <-> 172.16.48.8:23)
*Mar 10 21:01:28.613: INTERCEPT(*): (172.16.34.3:47106 <- RST
172.16.48.8:23)
*Mar 10 21:01:28.617: INTERCEPT: new connection (172.16.34.3:11739 SYN ->
172.16.48.8:23)
*Mar 10 21:01:28.625: INTERCEPT(*): (172.16.34.3:11739 <- ACK+SYN
172.16.48.8:23)
r4#
*Mar 10 21:01:29.149: INTERCEPT(*): SYNRCVD retransmit 1
(172.16.34.3:11739 <- ACK+SYN 172.16.
48.8:23)
*Mar 10 21:01:29.973: INTERCEPT(*): SYNRCVD retransmit 3
(172.16.34.3:46083 <- ACK+SYN 172.16.
48.8:23)
*Mar 10 21:01:30.149: INTERCEPT(*): SYNRCVD retransmit 2
(172.16.34.3:11739 <- ACK+SYN 172.16.
48.8:23)
r4#
*Mar 10 21:01:30.653: INTERCEPT: Possible attack! Aborting half-open
connection SYNRCVD (172.1
6.34.3:46083 <-> 172.16.48.8:23)
*Mar 10 21:01:30.661: INTERCEPT(*): (172.16.34.3:46083 <- RST
172.16.48.8:23)
*Mar 10 21:01:30.665: INTERCEPT: new connection (172.16.34.3:47106 SYN ->
172.16.48.8:23)
*Mar 10 21:01:30.673: INTERCEPT(*): (172.16.34.3:47106 <- ACK+SYN
172.16.48.8:23)
*Mar 10 21:01:31.173: INTERCEPT(*): SYNRCVD retransmit 1
(172.16.34.3:47106 <- ACK+SYN 172.16.
48.8:23)
r4#
*Mar 10 21:01:32.145: INTERCEPT(*): SYNRCVD retransmit 3
(172.16.34.3:11739 <- ACK+SYN 172.16.
48.8:23)
*Mar 10 21:01:32.209: INTERCEPT(*): SYNRCVD retransmit 2
(172.16.34.3:47106 <- ACK+SYN 172.16.
48.8:23)
r4#
*Mar 10 21:01:34.205: INTERCEPT(*): SYNRCVD retransmit 3
(172.16.34.3:47106 <- ACK+SYN 172.16.
48.8:23)
r4#
*Mar 10 21:01:36.145: INTERCEPT(*): SYNRCVD retransmit 4
(172.16.34.3:11739 <- ACK+SYN 172.16.
48.8:23)
r4#
*Mar 10 21:01:38.205: INTERCEPT(*): SYNRCVD retransmit 4
(172.16.34.3:47106 <- ACK+SYN 172.16.
48.8:23)
r4#
*Mar 10 21:01:44.145: INTERCEPT: SYNRCVD retransmitting too long
(172.16.34.3:11739 <-> 172.16
.48.8:23)
*Mar 10 21:01:44.149: INTERCEPT(*): (172.16.34.3:11739 <- RST
172.16.48.8:23)
r4#
*Mar 10 21:01:46.205: INTERCEPT: SYNRCVD retransmitting too long
(172.16.34.3:47106 <-> 172.16
.48.8:23)
*Mar 10 21:01:46.209: INTERCEPT(*): (172.16.34.3:47106 <- RST
172.16.48.8:23)
r4#
*Mar 10 21:01:46.213: %TCP-6-INTERCEPT: calming down, count (0/1) 1 min 4
----Watch mode under aggressive state
*Mar 10 22:37:14.404: INTERCEPT: new connection (172.16.34.3:49667 SYN ->
172.16.48.8:23)
*Mar 10 22:37:14.412: INTERCEPT: (172.16.34.3:49667 <- ACK+SYN
172.16.48.8:23)
r4#
*Mar 10 22:37:16.544: INTERCEPT: new connection (172.16.34.3:50178 SYN ->
172.16.48.8:23)
*Mar 10 22:37:16.552: INTERCEPT: (172.16.34.3:50178 <- ACK+SYN
172.16.48.8:23)
r4#
*Mar 10 22:37:18.568: %TCP-6-INTERCEPT: getting aggressive, count (2/2) 1
min 4
r4#
*Mar 10 22:37:18.572: INTERCEPT: Possible attack! Aborting half-open
connection SYNRCVD (172.1
6.34.3:49667 <-> 172.16.48.8:23)
*Mar 10 22:37:18.576: INTERCEPT(*): (172.16.34.3:49667 RST ->
172.16.48.8:23)
*Mar 10 22:37:18.580: INTERCEPT: new connection (172.16.34.3:11747 SYN ->
172.16.48.8:23)
*Mar 10 22:37:18.588: INTERCEPT: (172.16.34.3:11747 <- ACK+SYN
172.16.48.8:23)
r4#
*Mar 10 22:37:33.584: INTERCEPT: SYNRCVD timing out (172.16.34.3:11747 <->
172.16.48.8:23)
*Mar 10 22:37:33.588: INTERCEPT(*): (172.16.34.3:11747 RST ->
172.16.48.8:23)
r4#
*Mar 10 22:37:46.548: INTERCEPT: SYNRCVD timing out (172.16.34.3:50178 <->
172.16.48.8:23)
*Mar 10 22:37:46.552: INTERCEPT(*): (172.16.34.3:50178 RST ->
172.16.48.8:23)
r4#
*Mar 10 22:37:46.556: %TCP-6-INTERCEPT: calming down, count (0/1) 1 min 11
r4#
Cordially
------------------------------------------------------------------
Gladston
Gajewski Mariusz - TP POLPAK <Mariusz.Gajewski@telekomunikacja.pl>
30/05/2005 04:24
To
Alaerte Gladston Vidali/Brazil/IBM@IBMBR, ccielab@groupstudy.com
cc
Subject
RE: Intercept Mode Intercept and Watch-Timeout
Hi,
I will add third one ;)
Cisco Press : Cisco Router Firewall Security : "The ip tcp intercept
watch-timeout command specifies the maximum length of time that the router
will wait, in watch mode, for a TCP connection to complete the three-way
handshake. This value defaults to 30 seconds. If the connection is not
reached in this time period, the router sends a reset to the server
(destination)"
HTH
Mariusz
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
gladston@br.ibm.com
Sent: Monday, May 30, 2005 3:29 AM
To: ccielab@groupstudy.com
Subject: Intercept Mode Intercept and Watch-Timeout
Hi,
Trying to understand if whatch-timeout is aplicable intercept mode and/or
whatch mode.
One book says it should be used for watch mode and other book uses it for
intercept mode.
What do you think?
==================
quoted
If Intercept is configured to run in watch mode, configure the amount of
time it will wait for a watched connection to an established state before
terminating the connection. Use this command to do so:
ip tcp intercept watch-timeout <seconds>
Cisco Network Security Little Black Book
===================
This book shows an example where whatch-timeou is configured for intercept
mode:
===================
quoted
ip tcp intercept watch-timeout 20
!Sets the time in seconds (20) for a partially opened connection to
complete
!the connection sequence before sending a reset command to the local host.
Cisco. Secure Internet Security Solutions
===================
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:03 GMT-3