RE: [nsp] TCP Intercept

From: Rob Thomas (robt@cymru.com)
Date: Mon Oct 08 2001 - 14:14:41 EDT


Hi, all.

] You're thinking of the issues with using blackhole routes and firewall stuff
] that Rob Thomas talks about in his Secure IOS template?

Yeah, TCP Intercept and black hole routes don't play nicely together. :)
This is because TCP Intercept turns the router into a TCP three-step
handshake proxy. If the IP address to which the router will respond (with
SYN/ACK) is within a black hole (null0) route, then the router will never
receive the final ACK and complete the setup of the socket. This will
result in a lot of incomplete entries in the TCP Intercept table, and may
create the appearance of a SYN flood. Of course, nothing in your black
hole routes should be sending you packets. :) TCP Intercept in an
asymmetric data flow also fails. So you should be very careful in both
cases.

TCP Intercept is designed to defend against only on type of DoS attack,
the SYN flood. It won't help with RST or FIN floods, ICMP floods, UDP
floods, etc. Keep in mind that TCP Intercept decreases the overall
performance of the router because it uses process switching for some of
the TCP Intercept functions. In other words, TCP Intercept may be more
of a problem than a solution. In general, I recommend its use only
when a SYN flood is discovered, and only when the end systems themselves
are incapable (e.g. low q0 and q) of surviving the attack. You may wish
to take a look at my UNIX IP Stack Tuning Guide for some end system
tuning tips.

http://www.cymru.com/~robt/Docs/Articles/ip-stack-tuning.html

There are no issues of which I am aware with TCP Intercept and CEF/dCEF.
Keep in mind that TCP Intercept bypasses CEF for some of its functions.

I hope this helps!

Thanks,
Rob.

--
Rob Thomas
http://www.cymru.com/~robt
cmn_err(CE_PANIC, "Out of coffee...");



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:50 EDT