From: Calil Zorby (zorby@doglover.com)
Date: Wed Nov 28 2007 - 13:36:50 ART
Hello, Tarun!
absolute time-out = disconnect even has traffic on it
As was said, "The requirement is a hypothetical lab scenario, not a
real-world
example. I need TCP Syn attack protection and an absolute timeout value
on the
connection--for example 5 1/2 minutes. "
I don't actually need to use "IP TCP intercept" only or "CBAC", but I
don't know how to do this...
What is the other ways of terminating valid connections based on time and
in which I can use to protect against sync attack too (or using different
method together to solve this scenario) ?
Thanks!!!
----- Original Message -----
From: "Tarun Pahuja"
To: "Calil Zorby"
Subject: Re: IP TCP Intercept question
Date: Wed, 28 Nov 2007 09:41:19 -0500
Calil, Can you define what do you mean by absolute time-out. Cbac and
IP Tcp Inspect are used to protect against sync attacks in addition
to other proections. They monitor half open and idle connections to
protect against any potential sync attacks. These applications are
not designed to terminate valid connections after a certain period of
time. Can you elaborate on why you want to do this and why
specifically you want to use IP TCP intercept or Cbac? I can tell you
other ways of terminating valid connections based on time. Thanks,Tarun
On Nov 27, 2007 10:36 PM, Calil Zorby <zorby@doglover.com> wrote:
Does anyone have any idea?
thanks
----- Original Message -----
From: "Calil Zorby"
To: ccielab@groupstudy.com
Subject: IP TCP Intercept question
Date: Mon, 26 Nov 2007 16:06:50 -0500
Hello, Guys!
I has the same doubt below...
"I need TCP Syn attack protection and an absolute timeout value
on
the
connection---for example 5 1/2 minutes."
Someone has any idea about this?
thanks,
* Subject: RE: IP TCP Intercept question
* From: "scott mann"
* Date: Wed, 10 Apr 2002 21:59:32 -0700
------------------------------------------------------------------------
The requirement is a hypothetical lab scenario, not a real-world
example.
I need TCP Syn attack protection and an absolute timeout value
on the
connection--for example 5 1/2 minutes. I think TCP intercept
with
Dynamic
access-list is only answer, but it seems like I shouldn't have
to
combine
two different method together to solve this scenario.
From: Tarek Sabry
Reply-To: Tarek Sabry
To: "'Lupi, Guy'" , "'ying chang '"
, smann0762@xxxxxxxxxxx, tsabry@xxxxxxx,
ccielab@xxxxxxxxxxxxxx
Subject: RE: IP TCP Intercept question
Date: Wed, 10 Apr 2002 22:47:59 -0500
I agree with Guy that CBAC should be used here. Now if the
requirement is to
disconnect after a persiod of time whether active or passive
then
that's a
bit odd. Again, Guy has thrown is some creative ideas, but I'm
not
sure if
they address your specific situation or not. My guess is that
you
just need
to get rid of those idle session.
You may want to either give us some more info.
Tarek
-----Original Message-----
From: Lupi, Guy [ mailto: Guy.Lupi@xxxxxxxxxxxxx ]
Sent: Wednesday, April 10, 2002 8:09 PM
To: 'ying chang '; 'smann0762@xxxxxxxxxxx ';
'tsabry@xxxxxxxxxxxxxxxxxxx
'; 'tsabry@xxxxxxx '; 'ccielab@xxxxxxxxxxxxxx '
Subject: RE: IP TCP Intercept question
I think that based on the requirement CBAC may be a better
answer
here. I
don't believe that you can specify a timeout on completed
successful
sessions with TCP intercept. With CBAC however, you do have the
ability to
use the "ip inspect tcp idle-time", the default is 3600 seconds,
but
you can
lower it to whatever you want. This will cause the router to
close a
session that has been open and idle for the specified amount of
time.
This
only specifies the time that a session is idle before it times
out
however,
if the connection is active I don't believe that the timeout
applies,
it
must be idle. You can also specify it on a per-rule basis. CBAC
also
has a
DOS attack prevention method. If the requirement truly is to
disconnect tcp
sessions after a period of time, active or not, then you may
have to
use a
dynamic access-list, but the user would have to telnet to the
router
to
initiate the dynamic rule. How long is the absolute timeout
supposed
to be?
You could use tcp intercept and an access list that references a
time
range.
If the timeout was say an hour, you could do something like
this.
Based on
the time range, sessions would last 59 minutes, be disconnected,
and
then be
allowed again after a minute for another 59 minutes. This seems
a
little
ridiculous, unless the absolute timeout is like 6 hours.
access-list 101 permit tcp any any time-range blah
!
time-range blah
periodic daily 0:01 to 1:00
periodic daily 1:01 to 2:00
periodic daily 2:01 to 3:00
periodic daily 3:01 to 4:00
-----Original Message-----
From: ying chang
To: smann0762@xxxxxxxxxxx; tsabry@xxxxxxxxxxxxxxxxxxx;
tsabry@xxxxxxx;
ccielab@xxxxxxxxxxxxxx
Sent: 4/10/2002 7:21 PM
Subject: RE: IP TCP Intercept question
Can you let us know why you think you don't have the answer
already?
I'd
do
the samething based on my limited interpretation capability:
ip tcp intercept list 101
ip tcp intercept mode watch <--- send rst to drop half open
connection
if
they don't make it in 30 secs
...
ip access-list 101 permit tcp 123.4.5.0 0.0.0.255 host
192.168.1.2
<---
watch subnet 123.4.5.0 to server 192.168.1.2
I don't think the tcp intercept options like max-incomplete
high/low,
one-minute high/low fit the bill here. I wouldn't use them
unless
they
are
specifically asked.
Chang
>From: "scott mann"
>Reply-To: "scott mann"
>To: tsabry@xxxxxxxxxxxxxxxxxxx, tsabry@xxxxxxx,
ccielab@xxxxxxxxxxxxxx
>Subject: RE: IP TCP Intercept question
>Date: Wed, 10 Apr 2002 15:12:44 -0700
>
>My requirement is to stop a TCP SYN attack from one subnet to a
server
on
>another. This is why I choose to use TCP intercept. However, I
am
also
>required to enforce an absolute timeout, but I don't know of
any
other
way
>besides using a Dynamic access-list, and mix the two together.
>
>Thanks for your help.
>
>
>>From: Tarek Sabry
>>Reply-To: Tarek Sabry
>>To: "'scott mann'" , tsabry@xxxxxxx,
>>ccielab@xxxxxxxxxxxxxx
>>Subject: RE: IP TCP Intercept question
>>Date: Wed, 10 Apr 2002 15:27:23 -0500
>>
>>According to what I understand, this feature is for preventing
DOS
attacks
>>created by floods of *unsuccessful" connections. I think you
might
need
>>something else to achieve what you're looking for. Maybe
someone
can
>>enlighten us about anything that can be done on the Cisco
equipment
to
>>handle this.
>>
>>Sorry
>>Tarek
>>
>>-----Original Message-----
>>From: scott mann [ mailto:smann0762@xxxxxxxxxxx ]
>>Sent: Wednesday, April 10, 2002 3:08 PM
>>To: tsabry@xxxxxxx; ccielab@xxxxxxxxxxxxxx
>>Subject: RE: IP TCP Intercept question
>>
>>
>>
>>Yes, but I would like to timeout the connection even if the
user
DOES
>>establish the connection...I want an absolute timeout.
>>
>>Thanks
>>
>>
>> >From: Tarek Sabry
>> >Reply-To: tsabry@xxxxxxx
>> >To: 'scott mann' , ccielab@xxxxxxxxxxxxxx
>> >Subject: RE: IP TCP Intercept question
>> >Date: Wed, 10 Apr 2002 14:58:41 -0500
>> >
>> >Scott
>> >
>> >It seems that what you need is to set the "watch-timeout"
and not
the
>> >"connection-timeout". The former is defined as the "time
allowed
to
>>reach
>> >established state". So if the user fails to establish the
connection
>>after
>> >this timeout, the router send a reset to the server to drop
the
>>connection.
>> >
>> >So the right command (in my humble opinion) would be:
>> >
>> >"ip tcp intercept watch-timeout [seconds]"
>> >
>> >It sounds misleading to use the "watch" timeout when in
"intercept"
>>mode,
>> >but that's what the documentation says!
>> >
>> >Let's hear from experts too ....
>> >
>> >Tarek
>> >
>> >
>> >-----Original Message-----
>> >From: nobody@xxxxxxxxxxxxxx [ mailto:nobody@xxxxxxxxxxxxxx]On
Behalf
Of
>> >scott mann
>> >Sent: Wednesday, April 10, 2002 2:24 PM
>> >To: ccielab@xxxxxxxxxxxxxx
>> >Subject: IP TCP Intercept question
>> >
>> >
>> >Can anyone tell me if using the below command will
disconnect the
>> >user/connection or simply cause the router to stop managing
(keeping
>>stats
>> >or control of) the user/connection. I want to disconnect the
>> >user/connection
>> >after a specific timeout period irregardless of his
authentication/TCP
>> >status.
>> >
>> >"ip tcp intercept connection-timeout [seconds]"
>> >
>> >Below is the Cisco Link, but it is not specific.
>> >
>>
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr
/sec
>>u
>> >r_c/scprt3/scddenl.htm
>> >
>> >Thanks,
>> >Lab in 2 days.
>> >
>> >
>>
>_________________________________________________________________
>> >Chat with friends online, try MSN Messenger:
http://messenger.msn.com
>>
>_________________________________________________________________
>> >Commercial lab list:
http://www.groupstudy.com/list/commercial.html
>> >Please discuss commercial lab solutions on this list.
>>_________________________________________________________________
>>Chat with friends online, try MSN Messenger:
http://messenger.msn.com
>>
_________________________________________________________________
>>Commercial lab list:
http://www.groupstudy.com/list/commercial.html
>> Please discuss commercial lab solutions on this list.
>_________________________________________________________________
>Join the world s largest e-mail service with MSN Hotmail.
> http://www.hotmail.com
>
_________________________________________________________________
>Commercial lab list:
http://www.groupstudy.com/list/commercial.html
> Please discuss commercial lab solutions on this list.
_________________________________________________________________
Join the world s largest e-mail service with MSN Hotmail.
http://www.hotmail.com
_________________________________________________________________
Commercial lab list:
http://www.groupstudy.com/list/commercial.html
Please discuss commercial lab solutions on this list.
_________________________________________________________________
Commercial lab list:
http://www.groupstudy.com/list/commercial.html
Please discuss commercial lab solutions on this list.
_________________________________________________________________
Send and receive Hotmail on your mobile device:
http://mobile.msn.com____________________________________________________
__
__
_________
Commercial lab list:
http://www.groupstudy.com/list/commercial.htmlPlease
discuss commercial lab solutions on this list.
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe ccielab
--
Over 2 Million Holiday Gift Ideas - Take a Look!
mail.com shopping at http://mail.shopping.com/?linkin_id=8033174
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
--
Over 2 Million Holiday Gift Ideas - Take a Look!
mail.com shopping at http://mail.shopping.com/?linkin_id=8033174
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
-- Over 2 Million Holiday Gift Ideas - Take a Look! mail.com shopping at http://mail.shopping.com/?linkin_id=8033174
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:31 ART