Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
264
Views
0
Helpful
1
Replies

Timinig of Shunning

d.beppu
Level 1
Level 1

‎07-26-2002 04:44 AM - edited ‎03-08-2019 11:43 PM

Hi,

I would like to know the timing of router shunning.

Is the shunning executed after the first attack has completed ?

In this case, the first attack cannot be blocked, and

the later attacks are blocked by router, I think.

For example, if we enabled the router shunning function,

and a "DNS Zone transfer from High Port" alert is detected,

can the attacker gain the DNS Zone information ?

How about other signautures ?

If we want to block the first attack, should we use the

TCP Reset function for TCP based attacks ?

Thank you,

Daiichiro Beppu

NTT DATA SECURITY

Japan

Labels:
0 Helpful
1 Reply 1

yusuff
Cisco Employee
Cisco Employee

‎07-29-2002 05:20 AM

Shunning occurs as soon as the signature is detected and triggered if configured for shunning, it does not wait for the first attack to complete. With something like DNS zone transfer which uses TCP and hence if the 3-way handshake is complete, the ACL downloaded will not deny the first session from the routers perspective since it is already established and probably will complete.

I would strongly recommend you to configure TCP Reset alongwith shunning. As soon as signature is detected, it will reset the current session, and the shun ACL will take care the subsequent sessions, that way you are protected well.

HTH

R/Yusuf

0 Helpful
Customers Also Viewed These Support Documents