Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: TCP Intercept

From: "Hagen, Eric" <ehagen () DenverNewspaperAgency com>
Date: Thu, 9 Oct 2003 16:26:14 -0600 
TCP intercept works with all TCP traffic, including FTP.  It intercepts TCP
SYN packets and attempts to initiate the connection for the server, later
knitting them together once the connection is successful.  This kicks into
takes the load off the servers in the event of a SYN flood.

There's also the "watch" mode in IOS, that simply watches for TCP SYN
requests that are sent with no SYN-ACK -> ACK following are agressively
terminated by the router in order to prevent server timeouts (sometimes over
a minute) from affecting their ability to handle a SYN attack and still have
something left over to serve to legitimate services.

Either way, they should not break ANY services that follow the TCP protocol
standards as far as I'm aware.  That includes FTP.  The interaction with the
router is totally seamless and invisible to the client and server.

It's probably best to only enable it for important servers, reducing the
risk that the router itself becomes bogged down in handling TCP Intercept
operations for non-critical hosts.

I'm curious if there was any information I'm not aware of that would make
you think that TCP Intercept would not work for FTP?   Just curious.

Eric Hagen


-----Original Message-----
From: JGrimshaw () ASAP com [mailto:JGrimshaw () ASAP com]
Sent: Thursday, October 09, 2003 7:22 AM
Cc: security-basics () securityfocus com
Subject: TCP Intercept


Hi everyone,

I was wondering, is there a way to use TCP Intercept with FTP transfers? I 
am thinking that by the very nature of the beast, it does not.

With that in mind, what other TCP services should one avoid "protecting" 
with TCP Intercept?  What is it best used for?  Cisco's web site is a 
little sketchy.

I would like to use TCP Intercept to block DoS attacks against a public 
range of addresses I oversee.  However, I have concerns that the TCP 
Intercept isn't going to work in all occasions, and would prefer not to be 
kicked out the door when something critical stops working because I 
protected it.

Any ideas? 

Thanks, 

jeff


---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: