RE: CBAC

But why use a tool when you can use static routes ;)

Thanks,

Jacob Uecker
CCIE# 24481

Development Engineer
CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
Toll Free: 877-654-2243
International: +1-702-968-5100
Skype: skype:ccbootcamp?call
FAX: +1-702-446-8012

YES! We take Cisco Learning Credits!
Training And Remote Racks: http://www.ccbootcamp.com

________________________________

From: Scott M Vermillion [mailto:scott_ccie_list_at_it-ag.com]
Sent: Mon 9/7/2009 8:49 AM
To: Jacob Uecker
Cc: Anantha Subramanian Natarajan; Cisco certification
Subject: Re: CBAC

That's a really good idea Jacob. You could do four routers in series,
with R1 telnetting R4. R3 could hold the static route to nul0 for
R1. R2 could run CBAC. Something like that. I don't have time today
but that would be a pretty straight-forward way of creating the half-
open. I haven't dusted off Yersinia in quite a while but I have no
doubt that one of those hacker tools would do the trick as well...

On Sep 6, 2009, at 9:56 , Jacob Uecker wrote:

> Yersinia is perfect for this! I've always liked to use hping to spoof
> packets, but anything along that line works. I guess you could
> create a
> static route so that the SYN-ACK isn't received by the original
> sender. An
> ACL would also work.
>
>
>
> Thanks,
>
> Jacob Uecker
> CCIE# 24481
>
> Development Engineer
> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
> Toll Free: 877-654-2243
> International: +1-702-968-5100
> Skype: skype:ccbootcamp?call
> FAX: +1-702-446-8012
>
> YES! We take Cisco Learning Credits!
> Training And Remote Racks: http://www.ccbootcamp.com
<http://www.ccbootcamp.com/>
>
> ________________________________
>
> From: Scott M Vermillion [mailto:scott_ccie_list_at_it-ag.com]
> Sent: Sun 9/6/2009 8:55 PM
> To: Jacob Uecker
> Cc: Anantha Subramanian Natarajan; Cisco certification
> Subject: Re: CBAC
>
>
> Hi Jacob,
>
> Yes, there are likely many ways to check -- assuming you can create
> the
> half-open scenario for IOS to react to in the first place. Any
> thoughts
> there? Yersinia or something along that line?
>
> Regards,
>
> Scott
>
> On Sep 6, 2009, at 9:07 , Jacob Uecker wrote:
>
>
> I have always heard of using TCP RSTs instead of FINs. You could
> always use
> a SPAN port and check :)
>
>
>
> Thanks,
>
> Jacob Uecker
> CCIE# 24481
>
> Development Engineer
> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
> Toll Free: 877-654-2243
> International: +1-702-968-5100
> Skype: skype:ccbootcamp?call
> FAX: +1-702-446-8012
>
> YES! We take Cisco Learning Credits!
> Training And Remote Racks: http://www.ccbootcamp.com
<http://www.ccbootcamp.com/>
> <http://www.ccbootcamp.com/>
>
>
> ________________________________
>
> From: nobody_at_groupstudy.com on behalf of Anantha Subramanian
> Natarajan
> Sent: Sun 9/6/2009 7:21 PM
> To: Scott M Vermillion; Cisco certification
> Subject: Re: CBAC
>
>
>
> Thank you Scott M Vermillion for your thoughts and inferences.
>
> Regards
> Anantha Subramanian Natarajan
>
> On Sun, Sep 6, 2009 at 9:19 PM, Scott M Vermillion <
> scott_ccie_list_at_it-ag.com> wrote:
>
> > My understanding is that it sends TCP RST in both directions,
> although I
> > couldn't come up with a direct quote to offer as proof (plenty of
> quotes
> > that state that as fact where TCP intercept is concerned, but not
> CBAC
> > specifically). A TCP FIN wouldn't be my first guess, as that's
> the means
> of
> > closing an *established* socket. What we're dealing with here is
> half-open
> > connections instead. So my vote is on a RST, but I'm not sure
> how to lab
> > this up. A means to generate a TCP SYN followed by nothing else
> would be
> > required. No doubt such a thing exists but I'm just not sure I
> have it
> > readily available on any of my existing lab gear. Anyone else?
> >
> >
> > On Sep 6, 2009, at 5:17 , Andy Reid wrote:
> >
> > Hi Ananatha,
> >>
> >> I have never noticed that part of the description before : "it
> notifies
> >> both parties that the connection has been terminated". I can
> only assume
> >> that it sends a FIN packet in both directions after the timeout
> occurs
> >> to fully close the connection, though I have not tested this
> specific
> >> function in my lab, i.e. CBAC sending TCP packets on behalf of
> hosts.
> >> Can anyone else confirm or otherwise explain the action of "ip
> inspect
> >> tcp synwait-time".
> >>
> >> Thanks, Andy
> >>
> >> Anantha Subramanian Natarajan wrote:
> >>
> >>> Hi Andy,
> >>>
> >>> Thank you very much for the explanation.I am trying to
> understand
> >>> the below highlighted statement,how it notifies the parties
> that the
> >>> connection is terminated,is it by sending some signal (Some
> thing like
> >>> RST or ?) ....Kindly help me to understand
> >>>
> >>> "This command specifies how long the cisco IOS waits for a TCP
> session
> >>> to be established (to complete three-way handshake).The default
> is 30
> >>> seconds.If the three way handshake is not completed by end of
> this
> >>> timeout,Cisco IOS removes the entry from its state table and the
> >>> dynamic entry in the ACL(before FAB) and* it notifies both
> parties
> >>> that the connection has been terminated*"
> >>>
> >>> Thanks for the help
> >>>
> >>> Regards
> >>> Anantha Subramanian Natarajan
> >>>
> >>> On Sun, Sep 6, 2009 at 9:34 AM, Andy Reid <ccie_at_reid.it
> >>> <mailto:ccie_at_reid.it>> wrote:
> >>>
> >>> Hi Anantha,
> >>>
> >>> The command "ip inspect tcp finwait-time" is used when
> waiting for
> >>> the FIN packets (default is 5 seconds).
> >>>
> >>> The "ip inspect tcp synwait-time" is used to protect against
> half
> >>> open sessions (default is 30 seconds) where the session never
> >>> becomes fully established, and therefore FIN packets are
> never sent.
> >>>
> >>> regards Andy
> >>>
> >>> Anantha Subramanian Natarajan wrote:
> >>>
> >>> Hi All,
> >>>
> >>> I was going through CBAC and trying to understand the
> >>> different global
> >>> settings on the same.One of that was "ip inspect tcp
> >>> synwait-time".The way
> >>> in which understood was as stated below(Actually Just
> pasting the
> >>> statements)
> >>>
> >>>
> >>> "This command specifies how long the cisco IOS waits for
> a TCP
> >>> session to be
> >>> established (to complete three-way handshake).The default
> is
> >>> 30 seconds.If
> >>> the three way handshake is not completed by end of this
> >>> timeout,Cisco IOS
> >>> removes the entry from its state table and the dynamic
> entry
> >>> in the
> >>> ACL(before FAB) and it notifies both parties that the
> >>> connection has been
> >>> terminated"
> >>>
> >>> In the above I am trying to understood,what kind of
> >>> notification it provides
> >>> to both the parties when the timeout as reached ..Is it TCP
> >>> RST or something
> >>> different.
> >>>
> >>>
> >>>
> >>> Kindly let me know
> >>>
> >>>
> >>>
> >>> Thanks for the help
> >>>
> >>>
> >>>
> >>> Regards
> >>>
> >>> Anantha Subramanian Natarajan
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
<http://www.ccie.net/>
> <http://www.ccie.net/>
> >>> <http://www.ccie.net/>
> >>>
> >>>
> >>>
> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
<http://www.ccie.net/> <http://www.ccie.net/
> >
> >>
> >>
> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
<http://
> www.ccie.net/>
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Sep 07 2009 - 09:49:50 ART