RE: TCP Intercept

["Hagen, Eric" <ehagen () DenverNewspaperAgency com>]

I was basing my original reply on 'theoretical' application.

I've done a bit of reading on the more practical implications of this
"feature" and found that most people favor it to be off anyway, since it
generally causes more problems than it solves.

Here's a great example:

> I can relate an experience
> from a few years ago where I enabled TCP intercept in desperation on an
> old platform (7500/RSP2) to help save a host from a SYN flood.  The host
> was running an older version of a major brand-name operating system that
> was either improperly tuned or just plain didn't handle SYN floods well.
> I had strong reservations about doing this, but I did it anyway.  It
> certainly did protect the host from the SYN flood...and all other network
> traffic.  Basically, the router kicked over under the load.  Not a big
> surprise to me (fortunately, I had console access to the router and
> TCP intercept was easily disabled).

> I would definitely shy away from using it under most circumstances.
> michael

Generally, the concensus I've run across in my reading last night is that
TCP Intercept requires too much of the router's resources to be practical.
If it has very little to do, it can protect the hosts from crashing, but any
sustained, rapid attack is likely to overwhelm the router's CPU and bring
down the whole network.

A lot of administrators suggest IP-stack tuning on the individual hosts to
be much more effective and robust.  Check out this page:
http://www.cymru.com/Documents/ip-stack-tuning.html

Eric

-----Original Message-----
From: JGrimshaw () ASAP com [mailto:JGrimshaw () ASAP com]
Sent: Thursday, October 09, 2003 5:30 PM
To: Hagen, Eric
Cc: security-basics () securityfocus com
Subject: RE: TCP Intercept


Well--I tried it with FTP... and it didn't work!

This FTP was over a secure tunnel.  The tunnel was up and running, but FTP 
wouldn't pass through it with TCP Intercept enabled.  More correctly, one 
couldn't even log in to the FTP.  It was as if the server didn't exist.

Cisco's blurb on the matter (on their website) suggests that TCP Intercept 
doesn't know what to do with TCP options that are negotiated at the 
server.  It doesn't know about the options or what to do with them, so it 
doesn't do anything with them.  TCP intercept does not negotiate on any 
level, just a handshake in the middle to "knit" the connection back 
together.  FTP would seem to fall under that category of something that 
requires TCP service negotiation.







"Hagen, Eric" <ehagen () DenverNewspaperAgency com> 
10/09/2003 05:26 PM

To
JGrimshaw () ASAP com
cc
security-basics () securityfocus com
Subject
RE: TCP Intercept






TCP intercept works with all TCP traffic, including FTP.  It intercepts 
TCP
SYN packets and attempts to initiate the connection for the server, later
knitting them together once the connection is successful.  This kicks into
takes the load off the servers in the event of a SYN flood.

There's also the "watch" mode in IOS, that simply watches for TCP SYN
requests that are sent with no SYN-ACK -> ACK following are agressively
terminated by the router in order to prevent server timeouts (sometimes 
over
a minute) from affecting their ability to handle a SYN attack and still 
have
something left over to serve to legitimate services.

Either way, they should not break ANY services that follow the TCP 
protocol
standards as far as I'm aware.  That includes FTP.  The interaction with 
the
router is totally seamless and invisible to the client and server.

It's probably best to only enable it for important servers, reducing the
risk that the router itself becomes bogged down in handling TCP Intercept
operations for non-critical hosts.

I'm curious if there was any information I'm not aware of that would make
you think that TCP Intercept would not work for FTP?   Just curious.

Eric Hagen


-----Original Message-----
From: JGrimshaw () ASAP com [mailto:JGrimshaw () ASAP com]
Sent: Thursday, October 09, 2003 7:22 AM
Cc: security-basics () securityfocus com
Subject: TCP Intercept


Hi everyone,

I was wondering, is there a way to use TCP Intercept with FTP transfers? I 

am thinking that by the very nature of the beast, it does not.

With that in mind, what other TCP services should one avoid "protecting" 
with TCP Intercept?  What is it best used for?  Cisco's web site is a 
little sketchy.

I would like to use TCP Intercept to block DoS attacks against a public 
range of addresses I oversee.  However, I have concerns that the TCP 
Intercept isn't going to work in all occasions, and would prefer not to be 

kicked out the door when something critical stops working because I 
protected it.

Any ideas? 

Thanks, 

jeff


---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------