TCP Intercept for DoS Attack Prevention (CCIE Notes)

TCP Intercept

  • It protects a TCP server from TCP SYN-flooding attacks (DoS) attacks.
  • It intercepts and validates TCP connection requests.
  • Establishes connection with the client on behalf of the destination server, and if successful, establishes a connection with the server on behalf of the client and knits the two half connections transparently.
  • Either all requests can be intercepted or those coming from specific networks or destined for specific servers.

Modes of Operation:

Intercept Mode

  • This is the default mode.
  • Performs a three-way handshake with the client, if successful, sends the original SYN packet to the destination server and performs a three-way handshake with the server.
  •  When this is completed, the two half connections are joined.

Watch mode

  • Connection requests are allowed to pass through the router to the server but are watched until they become established.
  • If requests fail to establish within 30 seconds (default), the software sends a reset request to the server to clear up its state.

Continue reading

Advertisements

Analyzing FW Monitor Output in CLI

If you understand the inspection points in Check Point and can use FW Monitor to get the required logs/captures then you can read further on how how to analyze those logs.

Click to enlarge

So to start off with, lets see what the different fields are in the above picture of a sample log from the console;

Continue reading

Debug F5 monitor response from the server

It is quite simple to see if a pool member failed it’s health check by checking the pool status via GUI/CLI and the ltm logs also give you more information on the time lines when the pool went down/up;

cd /var/log
cat ltm | grep

But what if you’ve configured a custom health monitor for a particular pool and now that pool is down and you know it’s the monitor that is failing it. You’ve verified that the F5 is indeed sending the F5 monitor traffic to the nodes. You run some captures on the interface or on an intermediary firewall and see the node is sending replies as well. Now, what if you want to check the contents of the server’s response during that time from the F5 itself?

So here’s the step-by-step instructions you need to follow to effectively get that information;

Continue reading

OSPF neighbor relationship process

OSPF Neighbor relationship process

1. Determine the Router ID

  • It is the router’s name in the OSPF process. It’s always advisable to hard code the router-id.
  • Router-id > Loopbacks > Active Physical interface IP

2. Add interfaces to the link state database, done by the network command

3. Send a Hello message on chosen interfaces

  • Hello message timer
Broadcast/P-2-P networks Every 10 seconds
Non-Broadcast Multi-access Networks (NBMA) Every 30 seconds

Continue reading

Transferring licenses after RMA (Cisco)

Our ASR 1001 had a hardware failure with the SPA Interface Processor  and we had to file an RMA for it. Once we got the device to the data center and started loading up the config, we realized it required the ‘advipservices’ and ‘ipsecurity’ licenses which were being used on the old router. After speaking to the licensing support team, they explained to us that we can get a license transfer in this case as this is a replacement device. We gave the serial number of the old router and the new router with the RMA and SR number that was raised with them and she sent us a .lic file that can be loaded on the new ASR router.

If you have been looking for this, here’s another way to get this done; (A phone call to Cisco is definitely a better option with the below information handy)

Continue reading