Kings, First technologies that come to mind for IOS devices will be TCP Intercept and CBAC, both having functionality to limit the maximum number of half open sessions, using the max-incomplete options. CBAC also provides this option both globally for all connections as well as on a per host basis.
For the ASA the main candidate here would be Threat Detection. Threat detection is purely there for this purpose to prevent network attacks, DoS etc. Again providing incomplete session detection, for both UDP and TCP. This is on by default with the 'threat-detection basic-threat' command. Good one for the lab maybe that this is disabled, so keep your eye out ; ) For some of your other options Im not so sure. For instance the established keyword in an ACL for me would not be a valid mitigation technique for SYN floods, I suppose it would depend on the scenario. Obviously this would prevent all new tcp connections completely, not allowing any SYN packets at all, just those TCP sessions that have already completed their 3 way handshake. So I'm on the fence with that one. Again NBAR is another one, NBAR's job is to classify traffic based on differing criteria that would identify specific applications at layer 4 thru 7, as far as I know it does not account for this. Taking a quick look through the command ref I could not seee any valid NBAR supported protocols that would allow this. HTH Stu On Fri, Mar 26, 2010 at 4:01 PM, Kingsley Charles < [email protected]> wrote: > Hi all > > Need yours inputs on the following of mitigating sync attacks: > > > - Preventing a SYN Attack Using ACLs > > Using "established" keyword > > - Preventing a SYN Attack Using NBAR > > ? > > - Preventing a SYN Attack Using Policing > > ? > > - Preventing a SYN Attack Using CBAC > > Tuning of TCP timeouts > > - Preventing a SYN Attack Using CAR > > ? > > - Preventing a SYN Attack Using a TCP Intercept > > Configuring high/low parameters > > - Preventing a SYN Attack Using the Modular Policy Framework (MPF) on > the Cisco ASA Security Appliance > > Configuring of TCP timeouts with "set connections" > > > > > With regards > Kings > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Regards, Stuart Hare CCIE #25616 (Security), CCSP, Microsoft MCP Sr. Support Engineer – IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
