TCP Reset and Blocking

Answered Question
Oct 8th, 2008

I am configuring IPS 4270-20.

I want to know that how TCP Reset would reset a session without having an IP Address.

Secondly which interface would be used by ARC to controls blocking and rate limiting actions on managed devices.

Regards,

Shahzad.

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 1 month ago

Your switchports will be set to 'access' if you are using 'physical interface inline pair' mode and it will be a trunk when you are using 'inline vlan pair mode'.

And the following is one of Marc's post regarding alternate tcp reset, its rarely required:

"Under most installations the alternate tcp reset interface is not needed.

By default the TCP resets will go back out the same interface where the attack was detected.

So if your promiscuous interface is connected to a 100Mbps hub for monitoring then the tcp resets will be sent back out that same promiscuous interface into the hub.

Or if your promiscuous interface is connected to the span port of a switch, then the tcp resets will be sent back out the same promiscuous interface into that span port.

The issue becomes no whether the sensor can send the tcp resets, but if the switch will accept them. Many switches Will accept tcp resets coming in from the span port. Some switches just require an extra parameter on the span configuration to tell the switch to allow incoming packets from the span port.

BUT there are some switches that do NOT allow incoming packets from their span ports.

These ituations are the reason for the alternate tcp reset interface configuration.

It requires having 2 sensing interfaces (one for promiscuous monitoring, and the the other used as just the alternate tcp reset interface). The command and control port can NOT be used as the alternate tcp reset interface.

You connect the promiscuous interface up to the span port of the switch. You configure the second interface as the alternate tcp reset interface of the first promiscuous interface. Then plug the second interface into the saem switch (but do Not make the 2nd one a span port).

Now when the sensor detects an attack on the 1st interface it will NOT send the tcp resets out the 1st interface, but instead will send out the tcp resets on the 2nd interface.

Since the switch won't accept the tcp resets from the span port you need the second interface to get the tcp resets into the switch.

This can also be done with taps where the taps (because taps have no means of accepting incoming packets).

The alternate tcp reset interface configuration is ignored when configured for inline monitoring. It is only used with promiscuous monitoring. "

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.

Blocking and rate limiting is performed via the command&control interface. To send TCP RST the sensor uses monitoring interface in both IPS and IDS modes. The RST packet contains IP addresses of an attacker and a victim and MAC addresses of a previos hop and a next hop. The sensor takes them all from the packet that caused a signature to fire.

In IDS (promisc.) mode you must have "ingress" option in the SPAN "monitor session" command to allow ingress packets to the SPAN destination port. Also, if multiple VLANs are monitored, the SPAN must send 802.1q-tagged packets to the sensor, otherwise the sensor will not be able to set correct VLAN number tag in the RST packet.

HTH

Ahmed Shahzad Thu, 10/09/2008 - 02:00

I have to deploy IPS 4270-20 in promisc mode and need to monitor multiple VLANs. IPS 4270-20 would be connected with 6509s.

In this scenario when the interface is operating in promiscuous mode, the sensor may not be able to send the TCP reset packets over the same sensing interface on which the attack was detected. In such cases, I have to associate the sensing interface with an alternate TCP reset interface and any TCP resets that would otherwise be sent on the sensing interface when it is operating in promiscuous mode are instead sent out on the associated alternate TCP reset interface.

In this scenario how sensing interface and Alternate TCP Reset interface would be configured on IPS? Interface connected on 6509 would be configured as Trunk. Packet entering and leaving the IPS would be marked with VLAN tag.

Regards,

Shahzad.

Well, new 6500 IOSes (12.2(33)SXH+) do have "ingress" option:

monitor session 1-80 type local

source ...

destination ... ingress [learning]

I verified this with "local" and "local-tx" SPAN (PSPAN) and it seems to work well.

If your IOS supports this you should also configure SPAN destination port as a 802.1q trunk using normal IOS commands:

interface ...

no shut

switchport

switchport trunk enc dot1q

switchport mode trunk

switchport nonegotiate

[switchport trunk allowed vlan ...]

[switchport trunk native vlan ...]

In this case you don't need to use Alt TCP Reset Interface feature. (I don't understand how multiple sensing interfaces will change this...)

In case you decided to use Alt TCP Reset Intf you would configure it on the Interfaces IDM screen -- you choose sensing interface and the Alt TCP Reset interface for him. Alt TCP Reset Intf should also be configured as a trunk, with the same Native VLAN and the same list of allowed VLANs. Alt TCP Reset Interface cannot be used as a sensing interface.

IMO the Alt TCP Reset Intf is usually needed for IDSM-2 and Capture feature (instead of SPAN) -- this is complex subject to discuss. Marcabal can help you with this -- read his posts in this forum.

HTH

Ahmed Shahzad Thu, 10/09/2008 - 05:19

I have two 7609s and two 6509s. 7609s and 6509s are interconnected with layer-2. MPLS VPN are terminated on 7609s and then packet tag with VLAN and passes to 6509s.

Some of the VLAN passes through IPS in inline mode and some of them are passing through Promiscuous mode. I have four Sensing GigEthernet interface in IPS 4270-20. I would like to use two interface for inline mode and two for Promiscuous mode. In promiscuous one will be used as Sensing and other will be use as Alternate TCP Reset. I think all of the four ports in 6509s connected with IPS would be configured as:

interface ...

no shut

switchport

switchport trunk enc dot1q

switchport mode trunk

switchport nonegotiate

[switchport trunk allowed vlan ...]

[switchport trunk native vlan ...]

Please guide if you have a reference link for such configuration of IPS and Cat 6500.

Ahmed Shahzad Thu, 10/09/2008 - 10:42

It will work just fine or it is the best way to complete the requiement with four sensing ports available :)

Regards,

Shahzad.

:) If you don't need 4th port as the sensing port you can use it as the RST port. If your IOS version allows you to configure SPAN destination port with the "ingress" option you can use promisc.-sensing port as the RST port. Not a big difference IMO :)

You can open up another thread with more specific question-subject such as "why to use an RST port if I can use a sensing one" or something like that :) Just to know what other people think.

Correct Answer
Farrukh Haroon Sun, 10/12/2008 - 03:28

Your switchports will be set to 'access' if you are using 'physical interface inline pair' mode and it will be a trunk when you are using 'inline vlan pair mode'.

And the following is one of Marc's post regarding alternate tcp reset, its rarely required:

"Under most installations the alternate tcp reset interface is not needed.

By default the TCP resets will go back out the same interface where the attack was detected.

So if your promiscuous interface is connected to a 100Mbps hub for monitoring then the tcp resets will be sent back out that same promiscuous interface into the hub.

Or if your promiscuous interface is connected to the span port of a switch, then the tcp resets will be sent back out the same promiscuous interface into that span port.

The issue becomes no whether the sensor can send the tcp resets, but if the switch will accept them. Many switches Will accept tcp resets coming in from the span port. Some switches just require an extra parameter on the span configuration to tell the switch to allow incoming packets from the span port.

BUT there are some switches that do NOT allow incoming packets from their span ports.

These ituations are the reason for the alternate tcp reset interface configuration.

It requires having 2 sensing interfaces (one for promiscuous monitoring, and the the other used as just the alternate tcp reset interface). The command and control port can NOT be used as the alternate tcp reset interface.

You connect the promiscuous interface up to the span port of the switch. You configure the second interface as the alternate tcp reset interface of the first promiscuous interface. Then plug the second interface into the saem switch (but do Not make the 2nd one a span port).

Now when the sensor detects an attack on the 1st interface it will NOT send the tcp resets out the 1st interface, but instead will send out the tcp resets on the 2nd interface.

Since the switch won't accept the tcp resets from the span port you need the second interface to get the tcp resets into the switch.

This can also be done with taps where the taps (because taps have no means of accepting incoming packets).

The alternate tcp reset interface configuration is ignored when configured for inline monitoring. It is only used with promiscuous monitoring. "

Regards

Farrukh

Actions

This Discussion