[nsp] TCP Intercept
Kevin Kincaid
KKincaid at classmates.com
Wed Aug 6 11:02:17 EDT 2003
We have been doing some testing. We were trying stuff on the router and
stuff on the pix.
On the router side, testing intercept shot the cpu from under 20 to above
60...this was with 3 hosts simulating attacks to an internal host. I think
we opted to turn this feature off and use the pix 6.2.3 which takes similiar
action using embryonic values set to 1. 6.2.2 had a bug so don;t try it
there, only 6.2.3 if you go that route.
my 2 cents.
thx
kevin
-----Original Message-----
From: Sam Stickland [mailto:sam_ml at spacething.org]
Sent: Tuesday, August 05, 2003 12:01 PM
To: Cisco Nsp
Subject: [nsp] TCP Intercept
I'm got some questions about the TCP intercept feature.
Firstly, while I understand what the technical differences
between the watch
and intercept modes are, I'm not sure what the differences in efficiency
between the two are (both in the catching of attacks and the CPU load)
Secondly, I'm not sure what good it would do to place this on the core
routers of a large network. What's the typical connections per
second rate
that would start to overwhelm a typical server? If the incoming
connections
per second rate for the entire network is comparable then the
necessary 'ip
tcp intercept max-incomplete high' setting isn't going to do
much to protect
the servers, is it?
Sam
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list