At 07:32 PM 7/9/01, Mike Mandulak wrote:
>Thank you Pricilla, thats what I thought. Now for part 2 of this question.
>The syn w/fin packets are coming in from our internet connections, so I
>started looking at putting acls on the serial ints of these routers, I see
>that I can create one with the syntax of
>
>access-list 101 deny tcp * * syn fin
>
>The question; is this a boolean "syn and fin" or is it "syn or fin"? I tried
>putting it on our test link and it seemed to prevent an application from
>working.
Hmm. Good question to which I have no answer. My routers don't let me enter
syn or fin. (They are kind of old.) I hope you don't mind if I forward this
to the group for an answer. If it's an OR then it's going to break
legitimate sessions. I bet it is an OR.
>Also Im looking at using the rate-limit command to defend against DDOS, but
>I think I'm going to need to some of the routers. I've heard that this
>command will put a big performance hit on the cpu, any comments?
That does seem like a rather drastic plan that could affect performance.
Not only could it affect the router, but it could rate limit legitimate
traffic.
What problem are you trying to solve, by the way? Are you trying to protect
an inside server from SYN floods? Have you considered TCP Intercept? It
might help.... Not sure though. More info here:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfdenl.htm#1000892
Good luck!
Priscilla
>TIA!
>Mike Mandulak
>
>----- Original Message -----
>From: "Priscilla Oppenheimer"
>To:
>Sent: Monday, July 09, 2001 2:07 PM
>Subject: Re: syn fin acls [7:11264]
>
>
> > That doesn't sound valid to me. Its only purpose would be a port scan to
> > determine if a port is open. With that said, however, there are
legitimate
> > reasons for doing port scans. Sometimes they are used to test which ports
> > are open so that those ports can be explicitly secured.
> >
> > Priscilla
> >
> > At 04:25 PM 7/7/01, Mike Mandulak wrote:
> > >Would there be any valid reason for having both the syn and fin flags
set
>in
> > >the same packet? My IDS reports are saying that it is usually from a
port
> > >scan.
> > >
> > >MikeM
> > ________________________
> >
> > Priscilla Oppenheimer
> > http://www.priscilla.com
________________________
Priscilla Oppenheimer
http://www.priscilla.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=11617&t=11264
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
