Re: CBAC from Federico Cossu on 2009-09-07 (Ccielab archives 09/2009)

From: Federico Cossu <federico.cossu_at_gmail.com>
Date: Mon, 7 Sep 2009 09:29:35 +0200

i think you can test it easily with dynamips on a scenario like this

R1 <----> R2 <----->R3

apply CBAC on R2 looking for http connections coming from R3 towards R1,
on R3 increase the tcp synwait time to something larger than the CBAC
timeout for tcp port 80,

on R1 http server is disabled, start telnetting R1:80 and capture the
traffic on both R2 interfaces.
see what happen as soon as the CBAC SYN timeout expires.

2009/9/7 Jacob Uecker <juecker_at_ccbootcamp.com>

> Yersinia is perfect for this! I've always liked to use hping to spoof
> packets, but anything along that line works. I guess you could create a
> static route so that the SYN-ACK isn't received by the original sender. An
> ACL would also work.
>
>
>
> Thanks,
>
> Jacob Uecker
> CCIE# 24481
>
> Development Engineer
> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
> Toll Free: 877-654-2243
> International: +1-702-968-5100
> Skype: skype:ccbootcamp?call
> FAX: +1-702-446-8012
>
> YES! We take Cisco Learning Credits!
> Training And Remote Racks: http://www.ccbootcamp.com
>
> ________________________________
>
> From: Scott M Vermillion [mailto:scott_ccie_list_at_it-ag.com]
> Sent: Sun 9/6/2009 8:55 PM
> To: Jacob Uecker
> Cc: Anantha Subramanian Natarajan; Cisco certification
> Subject: Re: CBAC
>
>
> Hi Jacob,
>
> Yes, there are likely many ways to check -- assuming you can create the
> half-open scenario for IOS to react to in the first place. Any thoughts
> there? Yersinia or something along that line?
>
> Regards,
>
> Scott
>
> On Sep 6, 2009, at 9:07 , Jacob Uecker wrote:
>
>
> I have always heard of using TCP RSTs instead of FINs. You could
> always use
> a SPAN port and check :)
>
>
>
> Thanks,
>
> Jacob Uecker
> CCIE# 24481
>
> Development Engineer
> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
> Toll Free: 877-654-2243
> International: +1-702-968-5100
> Skype: skype:ccbootcamp?call
> FAX: +1-702-446-8012
>
> YES! We take Cisco Learning Credits!
> Training And Remote Racks: http://www.ccbootcamp.com
> <http://www.ccbootcamp.com/>
>
>
> ________________________________
>
> From: nobody_at_groupstudy.com on behalf of Anantha Subramanian
> Natarajan
> Sent: Sun 9/6/2009 7:21 PM
> To: Scott M Vermillion; Cisco certification
> Subject: Re: CBAC
>
>
>
> Thank you Scott M Vermillion for your thoughts and inferences.
>
> Regards
> Anantha Subramanian Natarajan
>
> On Sun, Sep 6, 2009 at 9:19 PM, Scott M Vermillion <
> scott_ccie_list_at_it-ag.com> wrote:
>
> > My understanding is that it sends TCP RST in both directions,
> although I
> > couldn't come up with a direct quote to offer as proof (plenty of
> quotes
> > that state that as fact where TCP intercept is concerned, but not
> CBAC
> > specifically). A TCP FIN wouldn't be my first guess, as that's
> the means
> of
> > closing an *established* socket. What we're dealing with here is
> half-open
> > connections instead. So my vote is on a RST, but I'm not sure how
> to lab
> > this up. A means to generate a TCP SYN followed by nothing else
> would be
> > required. No doubt such a thing exists but I'm just not sure I
> have it
> > readily available on any of my existing lab gear. Anyone else?
> >
> >
> > On Sep 6, 2009, at 5:17 , Andy Reid wrote:
> >
> > Hi Ananatha,
> >>
> >> I have never noticed that part of the description before : "it
> notifies
> >> both parties that the connection has been terminated". I can only
> assume
> >> that it sends a FIN packet in both directions after the timeout
> occurs
> >> to fully close the connection, though I have not tested this
> specific
> >> function in my lab, i.e. CBAC sending TCP packets on behalf of
> hosts.
> >> Can anyone else confirm or otherwise explain the action of "ip
> inspect
> >> tcp synwait-time".
> >>
> >> Thanks, Andy
> >>
> >> Anantha Subramanian Natarajan wrote:
> >>
> >>> Hi Andy,
> >>>
> >>> Thank you very much for the explanation.I am trying to
> understand
> >>> the below highlighted statement,how it notifies the parties that
> the
> >>> connection is terminated,is it by sending some signal (Some
> thing like
> >>> RST or ?) ....Kindly help me to understand
> >>>
> >>> "This command specifies how long the cisco IOS waits for a TCP
> session
> >>> to be established (to complete three-way handshake).The default
> is 30
> >>> seconds.If the three way handshake is not completed by end of
> this
> >>> timeout,Cisco IOS removes the entry from its state table and the
> >>> dynamic entry in the ACL(before FAB) and* it notifies both
> parties
> >>> that the connection has been terminated*"
> >>>
> >>> Thanks for the help
> >>>
> >>> Regards
> >>> Anantha Subramanian Natarajan
> >>>
> >>> On Sun, Sep 6, 2009 at 9:34 AM, Andy Reid <ccie_at_reid.it
> >>> <mailto:ccie_at_reid.it>> wrote:
> >>>
> >>> Hi Anantha,
> >>>
> >>> The command "ip inspect tcp finwait-time" is used when waiting
> for
> >>> the FIN packets (default is 5 seconds).
> >>>
> >>> The "ip inspect tcp synwait-time" is used to protect against
> half
> >>> open sessions (default is 30 seconds) where the session never
> >>> becomes fully established, and therefore FIN packets are never
> sent.
> >>>
> >>> regards Andy
> >>>
> >>> Anantha Subramanian Natarajan wrote:
> >>>
> >>> Hi All,
> >>>
> >>> I was going through CBAC and trying to understand the
> >>> different global
> >>> settings on the same.One of that was "ip inspect tcp
> >>> synwait-time".The way
> >>> in which understood was as stated below(Actually Just
> pasting the
> >>> statements)
> >>>
> >>>
> >>> "This command specifies how long the cisco IOS waits for a
> TCP
> >>> session to be
> >>> established (to complete three-way handshake).The default
> is
> >>> 30 seconds.If
> >>> the three way handshake is not completed by end of this
> >>> timeout,Cisco IOS
> >>> removes the entry from its state table and the dynamic
> entry
> >>> in the
> >>> ACL(before FAB) and it notifies both parties that the
> >>> connection has been
> >>> terminated"
> >>>
> >>> In the above I am trying to understood,what kind of
> >>> notification it provides
> >>> to both the parties when the timeout as reached ..Is it
> TCP
> >>> RST or something
> >>> different.
> >>>
> >>>
> >>>
> >>> Kindly let me know
> >>>
> >>>
> >>>
> >>> Thanks for the help
> >>>
> >>>
> >>>
> >>> Regards
> >>>
> >>> Anantha Subramanian Natarajan
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> <http://www.ccie.net/>
> >>> <http://www.ccie.net/>
> >>>
> >>>
> >>>
> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net <
> http://www.ccie.net/>
> >>
> >>
> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net <
> http://www.ccie.net/>
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

--
Faeddare pagu, sabidorla meda.
Blogs and organic groups at http://www.ccie.net

Received on Mon Sep 07 2009 - 09:29:35 ART

This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:02 ART