Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

What's the difference between blocking a host and a connection?

In the MC for IDS signature config screen, I see you can now block by host or connection. The help screens do not elaborate on the difference. Muchas gracias to anyone who can explain the difference. Thanks.

  • Other Security Subjects
3 REPLIES
New Member

Re: What's the difference between blocking a host and a connecti

from what i have observed in our router logs and the actual ACL created on the router it would appear that :

shun host is a single ip whereas shun connection would be a single host and the port

example ACL for the shun host option created by the blocking process for host:

access-list 110 deny tcp any host xxx.7.10.131

example ACL for the shun connection option created by the blocking process

shun connection

access-list 110 deny tcp any host xxx.7.10.131 eq 955

gprice

Cisco Employee

Re: What's the difference between blocking a host and a connecti

Gary hit it right on the head.

This block host shuns the attacker on all ports whereas block connection blocks on the attacked port and protocol.

peter

Cisco Employee

Re: What's the difference between blocking a host and a connecti

Some additional information:

A Shun Host (or Block Host) will deny the source ip address, in effect denying ALL ip packets from that address,

deny ip host 10.1.1.1 any

A Shun Connection (or Block Connection) will deny Just the ip packets from the source ip address to the specific destination ip address and destination port (service).

deny tcp host 10.1.1.1 host 172.21.1.1 eq telnet

NOTE: It doesn't deny just that one connection, but instead denies all connections of that type to that destination address. You will notice that the source port is not in the deny statement so all connections for that service from the source to the destination ip will be denied rather than just the connection in which the attack was executed.

If a user executes a web attack against a web server, then all web connection from that user's ip to that specific server ip will be blocked. But the user can still send an email, or use telnet or ftp to that server, and can continue to make web connections to other ips.

Something to be aware of, however, is that multiple Shun Connection for the same source ip to either different destination ips or different destination ports will cause the Shun Connections to be upgraded to a Shun Host.

This is to prevent filling up the shun table with multiple Shun Connections from the same ip.

Also multiple Shun Connections for the same ip usually means that the ip is attacking multiple boxes or multiple services which helps rule out the possibility of a false positive, and so the sensor blocks the entire ip by upgrading it to a Shun Host.

133
Views
15
Helpful
3
Replies
This widget could not be displayed.