Re: IP TCP Intercept question
From: Calil Zorby (zorby@doglover.com)
Date: Wed Nov 28 2007 - 00:36:49 ART
Does anyone have any idea?
thanks
----- Original Message -----
From: "Calil Zorby"
To: ccielab@groupstudy.com
Subject: IP TCP Intercept question
Date: Mon, 26 Nov 2007 16:06:50 -0500
Hello, Guys!
I has the same doubt below...
"I need TCP Syn attack protection and an absolute timeout value on
the
connection---for example 5 1/2 minutes."
Someone has any idea about this?
thanks,
* Subject: RE: IP TCP Intercept question
* From: "scott mann"
* Date: Wed, 10 Apr 2002 21:59:32 -0700
------------------------------------------------------------------------
The requirement is a hypothetical lab scenario, not a real-world
example.
I need TCP Syn attack protection and an absolute timeout value on the
connection--for example 5 1/2 minutes. I think TCP intercept with
Dynamic
access-list is only answer, but it seems like I shouldn't have to
combine
two different method together to solve this scenario.
From: Tarek Sabry
Reply-To: Tarek Sabry
To: "'Lupi, Guy'" , "'ying chang '"
, smann0762@xxxxxxxxxxx, tsabry@xxxxxxx,
ccielab@xxxxxxxxxxxxxx
Subject: RE: IP TCP Intercept question
Date: Wed, 10 Apr 2002 22:47:59 -0500
I agree with Guy that CBAC should be used here. Now if the
requirement is to
disconnect after a persiod of time whether active or passive then
that's a
bit odd. Again, Guy has thrown is some creative ideas, but I'm not
sure if
they address your specific situation or not. My guess is that you
just need
to get rid of those idle session.
You may want to either give us some more info.
Tarek
-----Original Message-----
From: Lupi, Guy [ mailto:Guy.Lupi@xxxxxxxxxxxxx ]
Sent: Wednesday, April 10, 2002 8:09 PM
To: 'ying chang '; 'smann0762@xxxxxxxxxxx ';
'tsabry@xxxxxxxxxxxxxxxxxxx
'; 'tsabry@xxxxxxx '; 'ccielab@xxxxxxxxxxxxxx '
Subject: RE: IP TCP Intercept question
I think that based on the requirement CBAC may be a better answer
here. I
don't believe that you can specify a timeout on completed successful
sessions with TCP intercept. With CBAC however, you do have the
ability to
use the "ip inspect tcp idle-time", the default is 3600 seconds, but
you can
lower it to whatever you want. This will cause the router to close a
session that has been open and idle for the specified amount of time.
This
only specifies the time that a session is idle before it times out
however,
if the connection is active I don't believe that the timeout applies,
it
must be idle. You can also specify it on a per-rule basis. CBAC also
has a
DOS attack prevention method. If the requirement truly is to
disconnect tcp
sessions after a period of time, active or not, then you may have to
use a
dynamic access-list, but the user would have to telnet to the router
to
initiate the dynamic rule. How long is the absolute timeout supposed
to be?
You could use tcp intercept and an access list that references a time
range.
If the timeout was say an hour, you could do something like this.
Based on
the time range, sessions would last 59 minutes, be disconnected, and
then be
allowed again after a minute for another 59 minutes. This seems a
little
ridiculous, unless the absolute timeout is like 6 hours.
access-list 101 permit tcp any any time-range blah
!
time-range blah
periodic daily 0:01 to 1:00
periodic daily 1:01 to 2:00
periodic daily 2:01 to 3:00
periodic daily 3:01 to 4:00
-----Original Message-----
From: ying chang
To: smann0762@xxxxxxxxxxx; tsabry@xxxxxxxxxxxxxxxxxxx;
tsabry@xxxxxxx;
ccielab@xxxxxxxxxxxxxx
Sent: 4/10/2002 7:21 PM
Subject: RE: IP TCP Intercept question
Can you let us know why you think you don't have the answer already?
I'd
do
the samething based on my limited interpretation capability:
ip tcp intercept list 101
ip tcp intercept mode watch <--- send rst to drop half open
connection
if
they don't make it in 30 secs
...
ip access-list 101 permit tcp 123.4.5.0 0.0.0.255 host 192.168.1.2
<---
watch subnet 123.4.5.0 to server 192.168.1.2
I don't think the tcp intercept options like max-incomplete high/low,
one-minute high/low fit the bill here. I wouldn't use them unless
they
are
specifically asked.
Chang
>From: "scott mann"
>Reply-To: "scott mann"
>To: tsabry@xxxxxxxxxxxxxxxxxxx, tsabry@xxxxxxx,
ccielab@xxxxxxxxxxxxxx
>Subject: RE: IP TCP Intercept question
>Date: Wed, 10 Apr 2002 15:12:44 -0700
>
>My requirement is to stop a TCP SYN attack from one subnet to a
server
on
>another. This is why I choose to use TCP intercept. However, I am
also
>required to enforce an absolute timeout, but I don't know of any
other
way
>besides using a Dynamic access-list, and mix the two together.
>
>Thanks for your help.
>
>
>>From: Tarek Sabry
>>Reply-To: Tarek Sabry
>>To: "'scott mann'" , tsabry@xxxxxxx,
>>ccielab@xxxxxxxxxxxxxx
>>Subject: RE: IP TCP Intercept question
>>Date: Wed, 10 Apr 2002 15:27:23 -0500
>>
>>According to what I understand, this feature is for preventing DOS
attacks
>>created by floods of *unsuccessful" connections. I think you might
need
>>something else to achieve what you're looking for. Maybe someone
can
>>enlighten us about anything that can be done on the Cisco equipment
to
>>handle this.
>>
>>Sorry
>>Tarek
>>
>>-----Original Message-----
>>From: scott mann [ mailto:smann0762@xxxxxxxxxxx ]
>>Sent: Wednesday, April 10, 2002 3:08 PM
>>To: tsabry@xxxxxxx; ccielab@xxxxxxxxxxxxxx
>>Subject: RE: IP TCP Intercept question
>>
>>
>>
>>Yes, but I would like to timeout the connection even if the user
DOES
>>establish the connection...I want an absolute timeout.
>>
>>Thanks
>>
>>
>> >From: Tarek Sabry
>> >Reply-To: tsabry@xxxxxxx
>> >To: 'scott mann' , ccielab@xxxxxxxxxxxxxx
>> >Subject: RE: IP TCP Intercept question
>> >Date: Wed, 10 Apr 2002 14:58:41 -0500
>> >
>> >Scott
>> >
>> >It seems that what you need is to set the "watch-timeout" and not
the
>> >"connection-timeout". The former is defined as the "time allowed
to
>>reach
>> >established state". So if the user fails to establish the
connection
>>after
>> >this timeout, the router send a reset to the server to drop the
>>connection.
>> >
>> >So the right command (in my humble opinion) would be:
>> >
>> >"ip tcp intercept watch-timeout [seconds]"
>> >
>> >It sounds misleading to use the "watch" timeout when in
"intercept"
>>mode,
>> >but that's what the documentation says!
>> >
>> >Let's hear from experts too ....
>> >
>> >Tarek
>> >
>> >
>> >-----Original Message-----
>> >From: nobody@xxxxxxxxxxxxxx [ mailto:nobody@xxxxxxxxxxxxxx]On
Behalf
Of
>> >scott mann
>> >Sent: Wednesday, April 10, 2002 2:24 PM
>> >To: ccielab@xxxxxxxxxxxxxx
>> >Subject: IP TCP Intercept question
>> >
>> >
>> >Can anyone tell me if using the below command will disconnect the
>> >user/connection or simply cause the router to stop managing
(keeping
>>stats
>> >or control of) the user/connection. I want to disconnect the
>> >user/connection
>> >after a specific timeout period irregardless of his
authentication/TCP
>> >status.
>> >
>> >"ip tcp intercept connection-timeout [seconds]"
>> >
>> >Below is the Cisco Link, but it is not specific.
>> >
>>
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr
/sec
>>u
>> >r_c/scprt3/scddenl.htm
>> >
>> >Thanks,
>> >Lab in 2 days.
>> >
>> >
>> >_________________________________________________________________
>> >Chat with friends online, try MSN Messenger:
http://messenger.msn.com
>> >_________________________________________________________________
>> >Commercial lab list:
http://www.groupstudy.com/list/commercial.html
>> >Please discuss commercial lab solutions on this list.
>>_________________________________________________________________
>>Chat with friends online, try MSN Messenger:
http://messenger.msn.com
>> _________________________________________________________________
>>Commercial lab list: http://www.groupstudy.com/list/commercial.html
>> Please discuss commercial lab solutions on this list.
>_________________________________________________________________
>Join the world�s largest e-mail service with MSN Hotmail.
> http://www.hotmail.com
> _________________________________________________________________
>Commercial lab list: http://www.groupstudy.com/list/commercial.html
> Please discuss commercial lab solutions on this list.
_________________________________________________________________
Join the world�s largest e-mail service with MSN Hotmail.
http://www.hotmail.com
_________________________________________________________________
Commercial lab list: http://www.groupstudy.com/list/commercial.html
Please discuss commercial lab solutions on this list.
_________________________________________________________________
Commercial lab list: http://www.groupstudy.com/list/commercial.html
Please discuss commercial lab solutions on this list.
_________________________________________________________________
Send and receive Hotmail on your mobile device:
http://mobile.msn.com______________________________________________________
__
_________
Commercial lab list:
http://www.groupstudy.com/list/commercial.htmlPlease
discuss commercial lab solutions on this list.
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe ccielab
--
Over 2 Million Holiday Gift Ideas - Take a Look!
mail.com shopping at http://mail.shopping.com/?linkin_id=8033174
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
--
Over 2 Million Holiday Gift Ideas - Take a Look!
mail.com shopping at http://mail.shopping.com/?linkin_id=8033174
This archive was generated by hypermail 2.1.4
: Sat Dec 01 2007 - 06:37:31 ART