Kingsley
For access-list I am not that is a valid solution either. If you are not
allowing inbound connections then there is no threat of SYN attacks but
there is no communication either
For CAR
access-list 101 permit tcp any any syn
rate-limit input list 101 10000 1000 1000
For MQC
access-list 101 permit tcp any any syn
class-map SYN-PROTECT
match access-list 101
policy-map INPUT
class SYN-PROTECT
police 8000
NBAR - To my knowledge not possible.
ACL using established - Not applicable
CBAC - TCP timers and Intercept
MPF - Setting embryonic connection maximums
limiting the number of connections per host
Setting timeouts on half closed and embryonic connections
Setting additional timeout parameters
As Stuart Already mentioned basic threat protection as well.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: <mailto:[email protected]> [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: <http://www.ipexpert.com/chat>
www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
<http://www.ipexpert.com/communities> www.ipexpert.com/communities and our
public website at <http://www.ipexpert.com/> www.ipexpert.com
From: [email protected]
[mailto:[email protected]] On Behalf Of Stuart Hare
Sent: Friday, March 26, 2010 4:13 PM
To: Kingsley Charles
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] Need inputs on mitigating syn attacks
Kings,
First technologies that come to mind for IOS devices will be TCP Intercept
and CBAC, both having functionality to limit the maximum number of half open
sessions, using the max-incomplete options. CBAC also provides this option
both globally for all connections as well as on a per host basis.
For the ASA the main candidate here would be Threat Detection. Threat
detection is purely there for this purpose to prevent network attacks, DoS
etc. Again providing incomplete session detection, for both UDP and TCP.
This is on by default with the 'threat-detection basic-threat' command. Good
one for the lab maybe that this is disabled, so keep your eye out ; )
For some of your other options Im not so sure. For instance the established
keyword in an ACL for me would not be a valid mitigation technique for SYN
floods, I suppose it would depend on the scenario. Obviously this would
prevent all new tcp connections completely, not allowing any SYN packets at
all, just those TCP sessions that have already completed their 3 way
handshake. So I'm on the fence with that one.
Again NBAR is another one, NBAR's job is to classify traffic based on
differing criteria that would identify specific applications at layer 4 thru
7, as far as I know it does not account for this. Taking a quick look
through the command ref I could not seee any valid NBAR supported protocols
that would allow this.
HTH
Stu
On Fri, Mar 26, 2010 at 4:01 PM, Kingsley Charles
<[email protected]> wrote:
Hi all
Need yours inputs on the following of mitigating sync attacks:
* Preventing a SYN Attack Using ACLs
Using "established" keyword
* Preventing a SYN Attack Using NBAR
?
* Preventing a SYN Attack Using Policing
?
* Preventing a SYN Attack Using CBAC
Tuning of TCP timeouts
* Preventing a SYN Attack Using CAR
?
* Preventing a SYN Attack Using a TCP Intercept
Configuring high/low parameters
* Preventing a SYN Attack Using the Modular Policy Framework (MPF) on
the Cisco ASA Security Appliance
Configuring of TCP timeouts with "set connections"
With regards
Kings
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com <http://www.ipexpert.com/>
--
Regards,
Stuart Hare
CCIE #25616 (Security), CCSP, Microsoft MCP
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
