Security Basics mailing list archives
RE: TCP Intercept
From: JGrimshaw () ASAP com
Date: Thu, 9 Oct 2003 18:29:44 -0500
Well--I tried it with FTP... and it didn't work! This FTP was over a secure tunnel. The tunnel was up and running, but FTP wouldn't pass through it with TCP Intercept enabled. More correctly, one couldn't even log in to the FTP. It was as if the server didn't exist. Cisco's blurb on the matter (on their website) suggests that TCP Intercept doesn't know what to do with TCP options that are negotiated at the server. It doesn't know about the options or what to do with them, so it doesn't do anything with them. TCP intercept does not negotiate on any level, just a handshake in the middle to "knit" the connection back together. FTP would seem to fall under that category of something that requires TCP service negotiation. "Hagen, Eric" <ehagen () DenverNewspaperAgency com> 10/09/2003 05:26 PM To JGrimshaw () ASAP com cc security-basics () securityfocus com Subject RE: TCP Intercept TCP intercept works with all TCP traffic, including FTP. It intercepts TCP SYN packets and attempts to initiate the connection for the server, later knitting them together once the connection is successful. This kicks into takes the load off the servers in the event of a SYN flood. There's also the "watch" mode in IOS, that simply watches for TCP SYN requests that are sent with no SYN-ACK -> ACK following are agressively terminated by the router in order to prevent server timeouts (sometimes over a minute) from affecting their ability to handle a SYN attack and still have something left over to serve to legitimate services. Either way, they should not break ANY services that follow the TCP protocol standards as far as I'm aware. That includes FTP. The interaction with the router is totally seamless and invisible to the client and server. It's probably best to only enable it for important servers, reducing the risk that the router itself becomes bogged down in handling TCP Intercept operations for non-critical hosts. I'm curious if there was any information I'm not aware of that would make you think that TCP Intercept would not work for FTP? Just curious. Eric Hagen -----Original Message----- From: JGrimshaw () ASAP com [mailto:JGrimshaw () ASAP com] Sent: Thursday, October 09, 2003 7:22 AM Cc: security-basics () securityfocus com Subject: TCP Intercept Hi everyone, I was wondering, is there a way to use TCP Intercept with FTP transfers? I am thinking that by the very nature of the beast, it does not. With that in mind, what other TCP services should one avoid "protecting" with TCP Intercept? What is it best used for? Cisco's web site is a little sketchy. I would like to use TCP Intercept to block DoS attacks against a public range of addresses I oversee. However, I have concerns that the TCP Intercept isn't going to work in all occasions, and would prefer not to be kicked out the door when something critical stops working because I protected it. Any ideas? Thanks, jeff --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: TCP Intercept Hagen, Eric (Oct 09)
- RE: TCP Intercept JGrimshaw (Oct 09)
- Load Balancing on AIX system. Kiran Maraju (Oct 14)
- <Possible follow-ups>
- RE: TCP Intercept Hagen, Eric (Oct 10)
- RE: TCP Intercept JGrimshaw (Oct 09)