From: Chris Riling (criling@gmail.com)
Date: Fri Sep 07 2007 - 18:43:20 ART
Off topic for the current thread, but not for the current subject, if that
makes any sense.... Obviously, this is going to be hardware dependent... but
after doing some short reading on TCP intercept I like the idea, however it
seems likely that while TCP intercept will prevent servers / hosts behind
the routers from being DoSed, isn't it entirely likely that the router
itself could essentially be DoSed by the overhead of handling the TCP
intercept, essentially in turn DoSing maybe even more than the source
would've originally intended.... Can anyone who has actually used this in
production speak on this?
Thanks,
Chris
On 9/6/07, Guyler, Rik <rguyler@shp-dayton.org> wrote:
>
> Or maybe again the source addresses are known. It may not be right or
> wrong
> in either case so it will depend on what the requirements are. If it says
> block anybody then use "any", if it says block this subnet then use that
> subnet. If it doesn't state either then use "any".
>
> Rik
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Salau, Yemi
> Sent: Thursday, September 06, 2007 5:45 AM
> To: tunde omotosho; ccielab@groupstudy.com
> Subject: RE: TCP Intercept (Preventing Denial-of-Service Attacks)
>
> I'm thinking what if you've got nat between the internet and your POD
> network. That means the packet source header will not contain the internet
> address, that is if you have a nat outside source translation or something
> at your internet boundary router/firewall. Ofcourse, this might not be the
> case in this workbook, but for their solution to work, something must have
> changed the source header address information of those packets to be
> intercepted as they come into your network.... And I'm still guessing NAT
>
> Many Thanks
>
> Yemi Salau
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> tunde omotosho
> Sent: Thursday, September 06, 2007 9:47 AM
> To: ccielab@groupstudy.com
> Subject: TCP Intercept (Preventing Denial-of-Service Attacks)
>
> Mates,
> in configuring TCP intercept.
>
> From the DOC CD The following configuration defines extended IP access
> list 101, causing the software to intercept packets for all TCP servers on
> the 192.168.1.0/24 subnet:
>
> ip tcp intercept list 101
>
> !access-list 101 permit tcp any 192.168.1.0 0.0.0.255
>
> I noticed further that the source must always be any since the source of
> the attck is not known.
>
> I saw a solution in a workbook where a subnet within the ip domain of the
> workbook is used as the source in the access-list, even when the question
> said attack from the internet.
>
> Please correct me if i am wrong or the workbook is right?
>
>
>
> ---------------------------------
> Looking for a deal? Find great prices on flights and hotels with Yahoo!
> FareChase.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:10 ART