Duh.... Yeah that is what I was thinking of. I think my brain merged NBAR
and TCP Intercept.
I investigated both and ended up using neither.
Rob, any thoughts on NBAR.
Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.
-----Original Message-----
From: Rob Thomas [mailto:robt@cymru.com]
Sent: Monday, October 08, 2001 2:15 PM
To: Scott.Keoseyan@BroadWing.com
Cc: jlewis@packetnexus.com; nick@arc.net.my; Cisco List
Subject: RE: [nsp] TCP Intercept
Hi, all.
] You're thinking of the issues with using blackhole routes and firewall
stuff
] that Rob Thomas talks about in his Secure IOS template?
Yeah, TCP Intercept and black hole routes don't play nicely together. :)
This is because TCP Intercept turns the router into a TCP three-step
handshake proxy. If the IP address to which the router will respond (with
SYN/ACK) is within a black hole (null0) route, then the router will never
receive the final ACK and complete the setup of the socket. This will
result in a lot of incomplete entries in the TCP Intercept table, and may
create the appearance of a SYN flood. Of course, nothing in your black
hole routes should be sending you packets. :) TCP Intercept in an
asymmetric data flow also fails. So you should be very careful in both
cases.
TCP Intercept is designed to defend against only on type of DoS attack,
the SYN flood. It won't help with RST or FIN floods, ICMP floods, UDP
floods, etc. Keep in mind that TCP Intercept decreases the overall
performance of the router because it uses process switching for some of
the TCP Intercept functions. In other words, TCP Intercept may be more
of a problem than a solution. In general, I recommend its use only
when a SYN flood is discovered, and only when the end systems themselves
are incapable (e.g. low q0 and q) of surviving the attack. You may wish
to take a look at my UNIX IP Stack Tuning Guide for some end system
tuning tips.
http://www.cymru.com/~robt/Docs/Articles/ip-stack-tuning.html
There are no issues of which I am aware with TCP Intercept and CEF/dCEF.
Keep in mind that TCP Intercept bypasses CEF for some of its functions.
I hope this helps!
Thanks,
Rob.
-- Rob Thomas http://www.cymru.com/~robt cmn_err(CE_PANIC, "Out of coffee...");
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:19 EDT