From: Ahsan Mohiuddin (ahsan.mohiuddin@gmail.com)
Date: Sat Aug 30 2008 - 11:07:18 ART
Hello Group,
I don't understand how CBAC commands such as "ip inspect max-incomplete" and
"ip inspect tcp max-incomplete host" etc come into effect. My understanding
is that when you apply CBAC to an interface, connections can only be
initiated from within the protected network, and dynamic openings are
created for return traffic to be allowed back in.
So, how do we get to have any "half-open" sessions at all? I mean if a DOS
attack is underway, we would expect half-open (SYN-only) TCP packets piling
up on one of the servers (on the inside). But since we aren't even allowing
any new connections to be made from the outside, how does a DOS attack ever
take place? So whats the use of the "ip inspect max-incomplete" ?
Its getting confusing. This is my first time with CBAC :(
~Ahsan
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:33 ART