Re: syn fin acls [7:11264]

[Priscilla Oppenheimer]

That doesn't sound valid to me. Its only purpose would be a port scan to 
determine if a port is open. With that said, however, there are legitimate 
reasons for doing port scans. Sometimes they are used to test which ports 
are open so that those ports can be explicitly secured.

Priscilla

At 04:25 PM 7/7/01, Mike Mandulak wrote:
Would there be any valid reason for having both the syn and fin flags set in
the same packet? My IDS reports are saying that it is usually from a port
scan.

MikeM


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=11521t=11264
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: syn fin acls [7:11264]

[Priscilla Oppenheimer]

At 07:32 PM 7/9/01, Mike Mandulak wrote:
Thank you Pricilla, thats what I thought. Now for part 2 of this question.
The syn w/fin packets are coming in from our internet connections, so I
started looking at putting acls on the serial ints of these routers, I see
that I can create one with the syntax of

access-list 101 deny tcp * * syn fin

The question; is this a boolean syn and fin or is it syn or fin? I tried
putting it on our test link and it seemed to prevent an application from
working.

Hmm. Good question to which I have no answer. My routers don't let me enter 
syn or fin. (They are kind of old.) I hope you don't mind if I forward this 
to the group for an answer. If it's an OR then it's going to break 
legitimate sessions. I bet it is an OR.


Also Im looking at using the rate-limit command to defend against DDOS, but
I think I'm going to need to some of the routers. I've heard that this
command will put a big performance hit on the cpu, any comments?

That does seem like a rather drastic plan that could affect performance. 
Not only could it affect the router, but it could rate limit legitimate 
traffic.

What problem are you trying to solve, by the way? Are you trying to protect 
an inside server from SYN floods? Have you considered TCP Intercept? It 
might help Not sure though. More info here:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfdenl.htm#1000892

Good luck!

Priscilla


TIA!
Mike Mandulak

- Original Message -
From: Priscilla Oppenheimer 
To: 
Sent: Monday, July 09, 2001 2:07 PM
Subject: Re: syn fin acls [7:11264]


  That doesn't sound valid to me. Its only purpose would be a port scan to
  determine if a port is open. With that said, however, there are
legitimate
  reasons for doing port scans. Sometimes they are used to test which ports
  are open so that those ports can be explicitly secured.
 
  Priscilla
 
  At 04:25 PM 7/7/01, Mike Mandulak wrote:
  Would there be any valid reason for having both the syn and fin flags
set
in
  the same packet? My IDS reports are saying that it is usually from a
port
  scan.
  
  MikeM
  
 
  Priscilla Oppenheimer
  http://www.priscilla.com


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=11617t=11264
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

syn fin acls [7:11264]

[Mike Mandulak]

Would there be any valid reason for having both the syn and fin flags set in
the same packet? My IDS reports are saying that it is usually from a port
scan.

MikeM




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=11264t=11264
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]