From: Gary Duncanson (gary.duncanson@googlemail.com)
Date: Fri Aug 03 2007 - 17:53:09 ART
Never used it in anger. I reckon you could do that though. Found these words
of advice on the web..
'If TCP Intercept is enabled, two concerns come to the fore.
First, do not use black hole routes. TCP Intercept is coded to handle a
SYN/ACK or RST, not silence. A simple DOS is possible if the router proxies
the TCP sockets and no one is there to answer the call on the other side.
Second, when paired with a firewall, ensure that the firewall will issue a
RST for denied services. The same reasoning as noted above applies here.'
www.cymru.com offer this advice concerning the secure IOS template.
http://www.cymru.com/Documents/secure-ios-template.htm
sic 'Black hole routes. Do not combine this with TCP Intercept;
in fact, don't use TCP Intercept at all'.
----- Original Message -----
From: "Guyler, Rik" <rguyler@shp-dayton.org>
To: <cisco@groupstudy.com>; <ccielab@groupstudy.com>
Sent: Friday, August 03, 2007 7:41 PM
Subject: OT: TCP Intercept
> Just an OT question for the collective: are BGP routers a suitable
> location
> to run TCP Intercept?
>
> I would think that the edge of my network is a perfect place to try to
> defend against DOS attacks but I don't know what negative side effects
> might
> appear (if any) by doing this.
>
> ---
> Rik
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:09 ART