From: Calil Zorby (zorby@doglover.com)
Date: Mon Nov 26 2007 - 18:06:50 ART
Hello, Guys!
I has the same doubt below...
"I need TCP Syn attack protection and an absolute timeout value on the
connection---for example 5 1/2 minutes."
Someone has any idea about this?
thanks,
* Subject: RE: IP TCP Intercept question
* From: "scott mann" <smann0762@xxxxxxxxxxx>
* Date: Wed, 10 Apr 2002 21:59:32 -0700
------------------------------------------------------------------------
The requirement is a hypothetical lab scenario, not a real-world example.
I need TCP Syn attack protection and an absolute timeout value on the
connection--for example 5 1/2 minutes. I think TCP intercept with Dynamic
access-list is only answer, but it seems like I shouldn't have to combine
two different method together to solve this scenario.
From: Tarek Sabry <tsabry@xxxxxxxxxxxxxxxxxxx>
Reply-To: Tarek Sabry <tsabry@xxxxxxxxxxxxxxxxxxx>
To: "'Lupi, Guy'" <Guy.Lupi@xxxxxxxxxxxxx>, "'ying chang '"
<ying_c@xxxxxxxxxxx>, smann0762@xxxxxxxxxxx, tsabry@xxxxxxx,
ccielab@xxxxxxxxxxxxxx
Subject: RE: IP TCP Intercept question
Date: Wed, 10 Apr 2002 22:47:59 -0500
I agree with Guy that CBAC should be used here. Now if the
requirement is to
disconnect after a persiod of time whether active or passive then
that's a
bit odd. Again, Guy has thrown is some creative ideas, but I'm not
sure if
they address your specific situation or not. My guess is that you
just need
to get rid of those idle session.
You may want to either give us some more info.
Tarek
-----Original Message-----
From: Lupi, Guy [ mailto:Guy.Lupi@xxxxxxxxxxxxx ]
Sent: Wednesday, April 10, 2002 8:09 PM
To: 'ying chang '; 'smann0762@xxxxxxxxxxx '; 'tsabry@xxxxxxxxxxxxxxxxxxx
'; 'tsabry@xxxxxxx '; 'ccielab@xxxxxxxxxxxxxx '
Subject: RE: IP TCP Intercept question
I think that based on the requirement CBAC may be a better answer
here. I
don't believe that you can specify a timeout on completed successful
sessions with TCP intercept. With CBAC however, you do have the
ability to
use the "ip inspect tcp idle-time", the default is 3600 seconds, but
you can
lower it to whatever you want. This will cause the router to close a
session that has been open and idle for the specified amount of time.
This
only specifies the time that a session is idle before it times out
however,
if the connection is active I don't believe that the timeout applies,
it
must be idle. You can also specify it on a per-rule basis. CBAC also
has a
DOS attack prevention method. If the requirement truly is to
disconnect tcp
sessions after a period of time, active or not, then you may have to
use a
dynamic access-list, but the user would have to telnet to the router
to
initiate the dynamic rule. How long is the absolute timeout supposed
to be?
You could use tcp intercept and an access list that references a time
range.
If the timeout was say an hour, you could do something like this.
Based on
the time range, sessions would last 59 minutes, be disconnected, and
then be
allowed again after a minute for another 59 minutes. This seems a
little
ridiculous, unless the absolute timeout is like 6 hours.
access-list 101 permit tcp any any time-range blah
!
time-range blah
periodic daily 0:01 to 1:00
periodic daily 1:01 to 2:00
periodic daily 2:01 to 3:00
periodic daily 3:01 to 4:00
-----Original Message-----
From: ying chang
To: smann0762@xxxxxxxxxxx; tsabry@xxxxxxxxxxxxxxxxxxx; tsabry@xxxxxxx;
ccielab@xxxxxxxxxxxxxx
Sent: 4/10/2002 7:21 PM
Subject: RE: IP TCP Intercept question
Can you let us know why you think you don't have the answer already? I'd
do
the samething based on my limited interpretation capability:
ip tcp intercept list 101
ip tcp intercept mode watch <--- send rst to drop half open connection
if
they don't make it in 30 secs
...
ip access-list 101 permit tcp 123.4.5.0 0.0.0.255 host 192.168.1.2
<---
watch subnet 123.4.5.0 to server 192.168.1.2
I don't think the tcp intercept options like max-incomplete high/low,
one-minute high/low fit the bill here. I wouldn't use them unless they
are
specifically asked.
Chang