Security Basics mailing list archives
RE: TCP Intercept
From: "Hagen, Eric" <ehagen () DenverNewspaperAgency com>
Date: Fri, 10 Oct 2003 09:15:41 -0600
I was basing my original reply on 'theoretical' application. I've done a bit of reading on the more practical implications of this "feature" and found that most people favor it to be off anyway, since it generally causes more problems than it solves. Here's a great example:
I can relate an experience from a few years ago where I enabled TCP intercept in desperation on an old platform (7500/RSP2) to help save a host from a SYN flood. The host was running an older version of a major brand-name operating system that was either improperly tuned or just plain didn't handle SYN floods well. I had strong reservations about doing this, but I did it anyway. It certainly did protect the host from the SYN flood...and all other network traffic. Basically, the router kicked over under the load. Not a big surprise to me (fortunately, I had console access to the router and TCP intercept was easily disabled).
I would definitely shy away from using it under most circumstances. michael
Generally, the concensus I've run across in my reading last night is that TCP Intercept requires too much of the router's resources to be practical. If it has very little to do, it can protect the hosts from crashing, but any sustained, rapid attack is likely to overwhelm the router's CPU and bring down the whole network. A lot of administrators suggest IP-stack tuning on the individual hosts to be much more effective and robust. Check out this page: http://www.cymru.com/Documents/ip-stack-tuning.html Eric -----Original Message----- From: JGrimshaw () ASAP com [mailto:JGrimshaw () ASAP com] Sent: Thursday, October 09, 2003 5:30 PM To: Hagen, Eric Cc: security-basics () securityfocus com Subject: RE: TCP Intercept Well--I tried it with FTP... and it didn't work! This FTP was over a secure tunnel. The tunnel was up and running, but FTP wouldn't pass through it with TCP Intercept enabled. More correctly, one couldn't even log in to the FTP. It was as if the server didn't exist. Cisco's blurb on the matter (on their website) suggests that TCP Intercept doesn't know what to do with TCP options that are negotiated at the server. It doesn't know about the options or what to do with them, so it doesn't do anything with them. TCP intercept does not negotiate on any level, just a handshake in the middle to "knit" the connection back together. FTP would seem to fall under that category of something that requires TCP service negotiation. "Hagen, Eric" <ehagen () DenverNewspaperAgency com> 10/09/2003 05:26 PM To JGrimshaw () ASAP com cc security-basics () securityfocus com Subject RE: TCP Intercept TCP intercept works with all TCP traffic, including FTP. It intercepts TCP SYN packets and attempts to initiate the connection for the server, later knitting them together once the connection is successful. This kicks into takes the load off the servers in the event of a SYN flood. There's also the "watch" mode in IOS, that simply watches for TCP SYN requests that are sent with no SYN-ACK -> ACK following are agressively terminated by the router in order to prevent server timeouts (sometimes over a minute) from affecting their ability to handle a SYN attack and still have something left over to serve to legitimate services. Either way, they should not break ANY services that follow the TCP protocol standards as far as I'm aware. That includes FTP. The interaction with the router is totally seamless and invisible to the client and server. It's probably best to only enable it for important servers, reducing the risk that the router itself becomes bogged down in handling TCP Intercept operations for non-critical hosts. I'm curious if there was any information I'm not aware of that would make you think that TCP Intercept would not work for FTP? Just curious. Eric Hagen -----Original Message----- From: JGrimshaw () ASAP com [mailto:JGrimshaw () ASAP com] Sent: Thursday, October 09, 2003 7:22 AM Cc: security-basics () securityfocus com Subject: TCP Intercept Hi everyone, I was wondering, is there a way to use TCP Intercept with FTP transfers? I am thinking that by the very nature of the beast, it does not. With that in mind, what other TCP services should one avoid "protecting" with TCP Intercept? What is it best used for? Cisco's web site is a little sketchy. I would like to use TCP Intercept to block DoS attacks against a public range of addresses I oversee. However, I have concerns that the TCP Intercept isn't going to work in all occasions, and would prefer not to be kicked out the door when something critical stops working because I protected it. Any ideas? Thanks, jeff --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: TCP Intercept Hagen, Eric (Oct 09)
- RE: TCP Intercept JGrimshaw (Oct 09)
- Load Balancing on AIX system. Kiran Maraju (Oct 14)
- <Possible follow-ups>
- RE: TCP Intercept Hagen, Eric (Oct 10)
- RE: TCP Intercept JGrimshaw (Oct 09)