RE: [nsp] TCP Intercept

From: Jason Lewis (jlewis@packetnexus.com)
Date: Mon Oct 08 2001 - 18:23:07 EDT

Next message: Reynald I. Ngo: "[nsp] Assigning netmask/prefix on my dialup ip pool"
Previous message: akber: "[nsp] tacacs ppp"
In reply to: Rob Thomas: "RE: [nsp] TCP Intercept"
Next in thread: Rob Thomas: "RE: [nsp] TCP Intercept"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Duh.... Yeah that is what I was thinking of. I think my brain merged NBAR
and TCP Intercept.

I investigated both and ended up using neither.

Rob, any thoughts on NBAR.

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.

-----Original Message-----
From: Rob Thomas [mailto:robt@cymru.com]
Sent: Monday, October 08, 2001 2:15 PM
To: Scott.Keoseyan@BroadWing.com
Cc: jlewis@packetnexus.com; nick@arc.net.my; Cisco List
Subject: RE: [nsp] TCP Intercept

Hi, all.

] You're thinking of the issues with using blackhole routes and firewall
stuff
] that Rob Thomas talks about in his Secure IOS template?

Yeah, TCP Intercept and black hole routes don't play nicely together. :)
This is because TCP Intercept turns the router into a TCP three-step
handshake proxy. If the IP address to which the router will respond (with
SYN/ACK) is within a black hole (null0) route, then the router will never
receive the final ACK and complete the setup of the socket. This will
result in a lot of incomplete entries in the TCP Intercept table, and may
create the appearance of a SYN flood. Of course, nothing in your black
hole routes should be sending you packets. :) TCP Intercept in an
asymmetric data flow also fails. So you should be very careful in both
cases.

TCP Intercept is designed to defend against only on type of DoS attack,
the SYN flood. It won't help with RST or FIN floods, ICMP floods, UDP
floods, etc. Keep in mind that TCP Intercept decreases the overall
performance of the router because it uses process switching for some of
the TCP Intercept functions. In other words, TCP Intercept may be more
of a problem than a solution. In general, I recommend its use only
when a SYN flood is discovered, and only when the end systems themselves
are incapable (e.g. low q0 and q) of surviving the attack. You may wish
to take a look at my UNIX IP Stack Tuning Guide for some end system
tuning tips.

http://www.cymru.com/~robt/Docs/Articles/ip-stack-tuning.html

There are no issues of which I am aware with TCP Intercept and CEF/dCEF.
Keep in mind that TCP Intercept bypasses CEF for some of its functions.

I hope this helps!

Thanks,
Rob.

--
Rob Thomas
http://www.cymru.com/~robt
cmn_err(CE_PANIC, "Out of coffee...");

Next message: Reynald I. Ngo: "[nsp] Assigning netmask/prefix on my dialup ip pool"
Previous message: akber: "[nsp] tacacs ppp"
In reply to: Rob Thomas: "RE: [nsp] TCP Intercept"
Next in thread: Rob Thomas: "RE: [nsp] TCP Intercept"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:19 EDT