[nsp] TCP Intercept

Kevin Kincaid KKincaid at classmates.com
Wed Aug 6 11:02:17 EDT 2003

We have been doing some testing. We were trying stuff on the router and
stuff on the pix.
On the router side, testing intercept shot the cpu from under 20 to above
60...this was with 3 hosts simulating attacks to an internal host.  I think
we opted to turn this feature off and use the pix 6.2.3 which takes similiar
action using embryonic values set to 1.  6.2.2 had a bug so don;t try it
there, only 6.2.3 if you go that route.

my 2 cents.



-----Original Message-----
From: Sam Stickland [mailto:sam_ml at spacething.org]
Sent: Tuesday, August 05, 2003 12:01 PM
To: Cisco Nsp
Subject: [nsp] TCP Intercept

I'm got some questions about the TCP intercept feature.

Firstly, while I understand what the technical differences 
between the watch
and intercept modes are, I'm not sure what the differences in efficiency
between the two are (both in the catching of attacks and the CPU load)

Secondly, I'm not sure what good it would do to place this on the core
routers of a large network. What's the typical connections per 
second rate
that would start to overwhelm a typical server? If the incoming 
per second rate for the entire network is comparable then the 
necessary 'ip
tcp intercept max-incomplete high' setting isn't going to do 
much to protect
the servers, is it?


cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list