From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Mon Jul 10 2006 - 11:59:58 ART
Sorry I pressed the send button very quick
This is part Cisco Router Firewall Security By Richard A. Deal
A TCP SYN flood attack is an easy attack to initiate. *The attacker sends a
flood of TCP SYN segments with no intention of completing the three-way
handshake for each of these connections*. Typically, the hacker combines
this with an IP spoofing attack in which the source addresses in the packet
are either invalid or someone else's address. Because these addresses cannot
be reached (or, if they are someone else's address, are not responded to),
the TCP server being attacked hangs in limbo with these half-open (commonly
called embryonic) connections. In this situation, the server must wait until
the TCP timeout expires for the connection before removing the connection
from its local connection table. This creates a problem because it uses up
resources on the TCP server, which might deny legitimate TCP connections.
TCP Intercept
1------------->SYN 4---------->Syn
SYN/ACK<----------2 <---------Syn/Ack 5
3-------------->ACK 6 ------------>ACk
User ------------ Router -------------- Server
<-------------------Bound Connection ------->
In That example, an external user is trying to access an internal server
using a TCP connection. The router intercepts this request and pretends to
be the internal server, completing the connection to the external user. Only
upon a successful three-way handshake with the external user (Steps 1
through 3 in the Figure) does the router set up a second TCP connection to
the server (Steps 4 through 6). The router then binds the two connections,
creating a single connection (Step 7).
Please excuse me for the spam
Regards
Victor.-
-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de Victor
Cappuccio
Enviado el: Lunes, 10 de Julio de 2006 10:29 a.m.
Para: 'Radoslav Vasilev'; 'Cisco certification'
Asunto: RE: TCP intercept in intercept mode
Hi Radoslav,
http://www.windowsecurity.com/whitepapers/Secure_IOS_Template_Version_22.htm
l
Regards
Victor.-
-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de
Radoslav Vasilev
Enviado el: Lunes, 10 de Julio de 2006 09:52 a.m.
Para: Cisco certification
Asunto: TCP intercept in intercept mode
Hi Group,
After checking cisco.com and the arhives, i still can't understand is the
following at all possible or not:
A router is required to `act as a proxy` between the Internet and a local
web server. (IEWB lab14, task 9.1)
This brings us to the idea of intercept mode for the tcp intercept.
let's say the web server is at:
access-list 102 permit tcp any host 167.1.4.119
ip tcp intercept list 102
! the default mode anyway
ip tcp intercept mode intercept
now, and what confuses me, is: ``the router should send a reset for any tcp
session that have not reach the established state after 30 seconds``.
This confuses me, because from what i know about this feature, when the
router is in intercept mode, it receives the initial SYN, replies with
SYN+ACK to the client/attacker and waits for reply (ACK). So, i beleive that
in this mode the router will never send RST to the client/attacker and for
the purposes of internal maintenance will delete the table entry when it
enters aggresive mode (when it need to start deleting old entires, ip tcp
intercept max-incomplete reached for example).
The IE solution suggest using ``ip tcp intercept watch-timeout``, but on CCO
this command is explecitly stated to be working for the passive (watch) mode
only:
<doc cd>
Use this command if you have set the TCP intercept to passive watch mode and
you want to change the default time the connection is watched. During
aggressive mode, the watch timeout time is cut in half.
</doc cd>
My questions:
-what is the right behaviour in tcp intercept mode (does the router send
resets)
- if it does - why the heck? the http client is either too slow(that's
highly unlikelly even) or an attacker with spoofed IP so the RST would be
lost anyway
- how is the internal maintenace organized in intercept mode - is it managed
with the `ip tcp intercept max-incomplete` settings (or `ip tcp intercept
one-minute ***``) or is the command `ip tcp intercept watch-timeout
applicable in intercept mode?
Thanks for your help!
Rado
This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:47 ART