Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Timinig of Shunning

Hi,

I would like to know the timing of router shunning.

Is the shunning executed after the first attack has completed ?

In this case, the first attack cannot be blocked, and

the later attacks are blocked by router, I think.

For example, if we enabled the router shunning function,

and a "DNS Zone transfer from High Port" alert is detected,

can the attacker gain the DNS Zone information ?

How about other signautures ?

If we want to block the first attack, should we use the

TCP Reset function for TCP based attacks ?

Thank you,

Daiichiro Beppu

NTT DATA SECURITY

Japan

1 REPLY
Cisco Employee

Re: Timinig of Shunning

Shunning occurs as soon as the signature is detected and triggered if configured for shunning, it does not wait for the first attack to complete. With something like DNS zone transfer which uses TCP and hence if the 3-way handshake is complete, the ACL downloaded will not deny the first session from the routers perspective since it is already established and probably will complete.

I would strongly recommend you to configure TCP Reset alongwith shunning. As soon as signature is detected, it will reset the current session, and the shun ACL will take care the subsequent sessions, that way you are protected well.

HTH

R/Yusuf

92
Views
0
Helpful
1
Replies
CreatePlease login to create content