Re: IP TCP Intercept question

From: Tarun Pahuja (pahujat@gmail.com)
Date: Wed Nov 28 2007 - 11:41:19 ART


Calil,
       Can you define what do you mean by absolute time-out. Cbac and IP Tcp
Inspect are used to protect against sync attacks in addition to other
proections. They monitor half open and idle connections to protect against
any potential sync attacks. These applications are not designed to terminate
valid connections after a certain period of time.

Can you elaborate on why you want to do this and why specifically you want
to use IP TCP intercept or Cbac? I can tell you other ways of terminating
valid connections based on time.

Thanks,
Tarun

On Nov 27, 2007 10:36 PM, Calil Zorby <zorby@doglover.com> wrote:

> Does anyone have any idea?
>
> thanks
>
> ----- Original Message -----
> From: "Calil Zorby"
> To: ccielab@groupstudy.com
> Subject: IP TCP Intercept question
> Date: Mon, 26 Nov 2007 16:06:50 -0500
>
>
> Hello, Guys!
> I has the same doubt below...
> "I need TCP Syn attack protection and an absolute timeout value on
> the
> connection---for example 5 1/2 minutes."
> Someone has any idea about this?
>
> thanks,
>
> * Subject: RE: IP TCP Intercept question
>
> * From: "scott mann"
>
> * Date: Wed, 10 Apr 2002 21:59:32 -0700
>
> ------------------------------------------------------------------------
>
> The requirement is a hypothetical lab scenario, not a real-world
> example.
> I need TCP Syn attack protection and an absolute timeout value on the
> connection--for example 5 1/2 minutes. I think TCP intercept with
> Dynamic
> access-list is only answer, but it seems like I shouldn't have to
> combine
> two different method together to solve this scenario.
>
>
> From: Tarek Sabry
> Reply-To: Tarek Sabry
> To: "'Lupi, Guy'" , "'ying chang '"
> , smann0762@xxxxxxxxxxx, tsabry@xxxxxxx,
> ccielab@xxxxxxxxxxxxxx
> Subject: RE: IP TCP Intercept question
> Date: Wed, 10 Apr 2002 22:47:59 -0500
>
> I agree with Guy that CBAC should be used here. Now if the
> requirement is to
> disconnect after a persiod of time whether active or passive then
> that's a
> bit odd. Again, Guy has thrown is some creative ideas, but I'm not
> sure if
> they address your specific situation or not. My guess is that you
> just need
> to get rid of those idle session.
>
> You may want to either give us some more info.
>
> Tarek
>
> -----Original Message-----
> From: Lupi, Guy [ mailto:Guy.Lupi@xxxxxxxxxxxxx ]
> Sent: Wednesday, April 10, 2002 8:09 PM
> To: 'ying chang '; 'smann0762@xxxxxxxxxxx ';
> 'tsabry@xxxxxxxxxxxxxxxxxxx
> '; 'tsabry@xxxxxxx '; 'ccielab@xxxxxxxxxxxxxx '
> Subject: RE: IP TCP Intercept question
>
>
>
> I think that based on the requirement CBAC may be a better answer
> here. I
> don't believe that you can specify a timeout on completed successful
> sessions with TCP intercept. With CBAC however, you do have the
> ability to
> use the "ip inspect tcp idle-time", the default is 3600 seconds, but
> you can
> lower it to whatever you want. This will cause the router to close a
> session that has been open and idle for the specified amount of time.
> This
> only specifies the time that a session is idle before it times out
> however,
> if the connection is active I don't believe that the timeout applies,
> it
> must be idle. You can also specify it on a per-rule basis. CBAC also
> has a
> DOS attack prevention method. If the requirement truly is to
> disconnect tcp
> sessions after a period of time, active or not, then you may have to
> use a
> dynamic access-list, but the user would have to telnet to the router
> to
> initiate the dynamic rule. How long is the absolute timeout supposed
> to be?
> You could use tcp intercept and an access list that references a time
> range.
> If the timeout was say an hour, you could do something like this.
> Based on
> the time range, sessions would last 59 minutes, be disconnected, and
> then be
> allowed again after a minute for another 59 minutes. This seems a
> little
> ridiculous, unless the absolute timeout is like 6 hours.
>
>
> access-list 101 permit tcp any any time-range blah
> !
> time-range blah
> periodic daily 0:01 to 1:00
> periodic daily 1:01 to 2:00
> periodic daily 2:01 to 3:00
> periodic daily 3:01 to 4:00
>
>
>
>
>
>
> -----Original Message-----
> From: ying chang
> To: smann0762@xxxxxxxxxxx; tsabry@xxxxxxxxxxxxxxxxxxx;
> tsabry@xxxxxxx;
> ccielab@xxxxxxxxxxxxxx
> Sent: 4/10/2002 7:21 PM
> Subject: RE: IP TCP Intercept question
>
>
> Can you let us know why you think you don't have the answer already?
> I'd
> do
> the samething based on my limited interpretation capability:
>
>
> ip tcp intercept list 101
> ip tcp intercept mode watch <--- send rst to drop half open
> connection
> if
> they don't make it in 30 secs
>
>
> ...
>
> ip access-list 101 permit tcp 123.4.5.0 0.0.0.255 host 192.168.1.2
> <---
>
> watch subnet 123.4.5.0 to server 192.168.1.2
>
> I don't think the tcp intercept options like max-incomplete high/low,
> one-minute high/low fit the bill here. I wouldn't use them unless
> they
> are
> specifically asked.
>
>
> Chang
>
>
>
> >From: "scott mann"
> >Reply-To: "scott mann"
> >To: tsabry@xxxxxxxxxxxxxxxxxxx, tsabry@xxxxxxx,
> ccielab@xxxxxxxxxxxxxx
> >Subject: RE: IP TCP Intercept question
> >Date: Wed, 10 Apr 2002 15:12:44 -0700
> >
> >My requirement is to stop a TCP SYN attack from one subnet to a
> server
> on
> >another. This is why I choose to use TCP intercept. However, I am
> also
> >required to enforce an absolute timeout, but I don't know of any
> other
> way
> >besides using a Dynamic access-list, and mix the two together.
> >
> >Thanks for your help.
> >
> >
> >>From: Tarek Sabry
> >>Reply-To: Tarek Sabry
> >>To: "'scott mann'" , tsabry@xxxxxxx,
> >>ccielab@xxxxxxxxxxxxxx
> >>Subject: RE: IP TCP Intercept question
> >>Date: Wed, 10 Apr 2002 15:27:23 -0500
> >>
> >>According to what I understand, this feature is for preventing DOS
> attacks
> >>created by floods of *unsuccessful" connections. I think you might
> need
> >>something else to achieve what you're looking for. Maybe someone
> can
> >>enlighten us about anything that can be done on the Cisco equipment
> to
> >>handle this.
> >>
> >>Sorry
> >>Tarek
> >>
> >>-----Original Message-----
> >>From: scott mann [ mailto:smann0762@xxxxxxxxxxx ]
> >>Sent: Wednesday, April 10, 2002 3:08 PM
> >>To: tsabry@xxxxxxx; ccielab@xxxxxxxxxxxxxx
> >>Subject: RE: IP TCP Intercept question
> >>
> >>
> >>
> >>Yes, but I would like to timeout the connection even if the user
> DOES
> >>establish the connection...I want an absolute timeout.
> >>
> >>Thanks
> >>
> >>
> >> >From: Tarek Sabry
> >> >Reply-To: tsabry@xxxxxxx
> >> >To: 'scott mann' , ccielab@xxxxxxxxxxxxxx
> >> >Subject: RE: IP TCP Intercept question
> >> >Date: Wed, 10 Apr 2002 14:58:41 -0500
> >> >
> >> >Scott
> >> >
> >> >It seems that what you need is to set the "watch-timeout" and not
> the
> >> >"connection-timeout". The former is defined as the "time allowed
> to
> >>reach
> >> >established state". So if the user fails to establish the
> connection
> >>after
> >> >this timeout, the router send a reset to the server to drop the
> >>connection.
> >> >
> >> >So the right command (in my humble opinion) would be:
> >> >
> >> >"ip tcp intercept watch-timeout [seconds]"
> >> >
> >> >It sounds misleading to use the "watch" timeout when in
> "intercept"
> >>mode,
> >> >but that's what the documentation says!
> >> >
> >> >Let's hear from experts too ....
> >> >
> >> >Tarek
> >> >
> >> >
> >> >-----Original Message-----
> >> >From: nobody@xxxxxxxxxxxxxx [ mailto:nobody@xxxxxxxxxxxxxx]On
> Behalf
> Of
> >> >scott mann
> >> >Sent: Wednesday, April 10, 2002 2:24 PM
> >> >To: ccielab@xxxxxxxxxxxxxx
> >> >Subject: IP TCP Intercept question
> >> >
> >> >
> >> >Can anyone tell me if using the below command will disconnect the
> >> >user/connection or simply cause the router to stop managing
> (keeping
> >>stats
> >> >or control of) the user/connection. I want to disconnect the
> >> >user/connection
> >> >after a specific timeout period irregardless of his
> authentication/TCP
> >> >status.
> >> >
> >> >"ip tcp intercept connection-timeout [seconds]"
> >> >
> >> >Below is the Cisco Link, but it is not specific.
> >> >
> >>
> >
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr
> /sec
> >>u
> >> >r_c/scprt3/scddenl.htm
> >> >
> >> >Thanks,
> >> >Lab in 2 days.
> >> >
> >> >
> >> >_________________________________________________________________
> >> >Chat with friends online, try MSN Messenger:
> http://messenger.msn.com
> >> >_________________________________________________________________
> >> >Commercial lab list:
> http://www.groupstudy.com/list/commercial.html
> >> >Please discuss commercial lab solutions on this list.
> >>_________________________________________________________________
> >>Chat with friends online, try MSN Messenger:
> http://messenger.msn.com
> >> _________________________________________________________________
> >>Commercial lab list: http://www.groupstudy.com/list/commercial.html
> >> Please discuss commercial lab solutions on this list.
> >_________________________________________________________________
> >Join the world s largest e-mail service with MSN Hotmail.
> > http://www.hotmail.com
> > _________________________________________________________________
> >Commercial lab list: http://www.groupstudy.com/list/commercial.html
> > Please discuss commercial lab solutions on this list.
> _________________________________________________________________
> Join the world s largest e-mail service with MSN Hotmail.
> http://www.hotmail.com
> _________________________________________________________________
> Commercial lab list: http://www.groupstudy.com/list/commercial.html
> Please discuss commercial lab solutions on this list.
> _________________________________________________________________
> Commercial lab list: http://www.groupstudy.com/list/commercial.html
> Please discuss commercial lab solutions on this list.
>
> _________________________________________________________________
> Send and receive Hotmail on your mobile device:
>
> http://mobile.msn.com______________________________________________________
> __
> _________
> Commercial lab list:
> http://www.groupstudy.com/list/commercial.htmlPlease
> discuss commercial lab solutions on this list.
> majordomo@xxxxxxxxxxxxxx with the body containing:
> unsubscribe ccielab
>
> --
> Over 2 Million Holiday Gift Ideas - Take a Look!
> mail.com shopping at http://mail.shopping.com/?linkin_id=8033174
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> --
> Over 2 Million Holiday Gift Ideas - Take a Look!
> mail.com shopping at http://mail.shopping.com/?linkin_id=8033174
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html



This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:31 ART