[c-nsp] Automatic responses from events in a PIX
Justin Shore
justin at justinshore.com
Tue Oct 16 00:07:23 EDT 2007
I have a user who claims that they've configured their PIX to take an
action after it sees a certain number of rogue packets (ie, portscan).
They claim that it's configured to stop all traffic after it sees 70
rogue packets from any one given IP.
In my years of administrating PIXs I don't recall ever coming across a
reactionary feature such as this. I haven't read about it in any of my
PIX books either, not even a warning on just how extremely risky of a
feature it is. Every reactionary software package I've ever used
(Portsentry, Fail2ban, etc) have always warned about the risk of
reacting in such a way so as to effectively DoS yourself. That seems to
be exactly what this feature would allow a user to do; set themselves up
to be easily DoSed. The user also says they have a Sonicwall in
production but that this feature is on the PIX and not the Sonicwall. I
can't confirm this though since I have not knowledge of their design.
Has anyone else come across a feature like this?
Thanks
Justin
More information about the cisco-nsp
mailing list