[nsp] TCP Intercept
Steve Francis
steve at expertcity.com
Tue Aug 5 14:57:01 EDT 2003
Sam Stickland wrote:
>I'm got some questions about the TCP intercept feature.
>
>
>
>Secondly, I'm not sure what good it would do to place this on the core
>routers of a large network.
>
Well, it would make it much easier for people to take down the network.
So it depends who you are trying to do good for. :-)
Generally, hosts (or well tuned modern hosts, at any rate) have much
better Syn flood resilience than you have on your router.
If you enable TCP intercept, you'll just be providing a way for
attackers to take out your core router fairly easily (by overwhelming
its CPU), and causing much greater damage than allowing them to attack
the the host you were attempting to protect.
To protect your routers, either use receive-acl's if your hardware
supports them, or filter, on every inteerface, anything to the routers
own addresses and limit it to your own management networks (assuming
your routers can do that in hardware.)
If neither of the above is true for your hardware, buy new hardware. :-)
> What's the typical connections per second rate
>that would start to overwhelm a typical server? If the incoming connections
>per second rate for the entire network is comparable then the necessary 'ip
>tcp intercept max-incomplete high' setting isn't going to do much to protect
>the servers, is it?
>
>Sam
>
>
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>http://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list