At 07:32 PM 7/9/01, Mike Mandulak wrote:
Thank you Pricilla, thats what I thought. Now for part 2 of this question.
The syn w/fin packets are coming in from our internet connections, so I
started looking at putting acls on the serial ints of these routers, I see
that I can create one with the syntax of
access-list 101 deny tcp * * syn fin
The question; is this a boolean syn and fin or is it syn or fin? I tried
putting it on our test link and it seemed to prevent an application from
working.
Hmm. Good question to which I have no answer. My routers don't let me enter
syn or fin. (They are kind of old.) I hope you don't mind if I forward this
to the group for an answer. If it's an OR then it's going to break
legitimate sessions. I bet it is an OR.
Also Im looking at using the rate-limit command to defend against DDOS, but
I think I'm going to need to some of the routers. I've heard that this
command will put a big performance hit on the cpu, any comments?
That does seem like a rather drastic plan that could affect performance.
Not only could it affect the router, but it could rate limit legitimate
traffic.
What problem are you trying to solve, by the way? Are you trying to protect
an inside server from SYN floods? Have you considered TCP Intercept? It
might help Not sure though. More info here:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfdenl.htm#1000892
Good luck!
Priscilla
TIA!
Mike Mandulak
- Original Message -
From: Priscilla Oppenheimer
To:
Sent: Monday, July 09, 2001 2:07 PM
Subject: Re: syn fin acls [7:11264]
That doesn't sound valid to me. Its only purpose would be a port scan to
determine if a port is open. With that said, however, there are
legitimate
reasons for doing port scans. Sometimes they are used to test which ports
are open so that those ports can be explicitly secured.
Priscilla
At 04:25 PM 7/7/01, Mike Mandulak wrote:
Would there be any valid reason for having both the syn and fin flags
set
in
the same packet? My IDS reports are saying that it is usually from a
port
scan.
MikeM
Priscilla Oppenheimer
http://www.priscilla.com
Priscilla Oppenheimer
http://www.priscilla.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=11617t=11264
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]