TCP intercept

TCP intercept is used to prevent SYN flood attacks (DoS – Denial of Service).

In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server.

In watch mode, the software passively watches the connection requests flowing through the router. If a connection fails to get established in a configurable interval, the software intervenes and terminates the connection attempt.

TCP options that are negotiated on handshake (such as RFC 1323 on window scaling) will not be negotiated because the TCP intercept software does not know what the server can do or will negotiate.

Follow the following steps to configure TCP intercept:

  1. Configure an ACL with source and or destination
    Source = TCP source, destination = server
    access-list [extended] permit tcp [source] [destination] ...
  2. Enable TCP intercept:
    ip tcp intercept list [ACL]

Optionally:

  • ip tcp intercept mode intercept|watch
  • ip tcp intercept drop-mode oldest|random
  • ip tcp intercept watch-timeout [seconds]
  • ip tcp intercept finrst-timeout [seconds]
  • ip tcp intercept connection-timeout [seconds]
  • aggressive mode thresholds (total-numbers or numbers-per-minute) [low|high]

drop-mode: Default is oldest (FIFO)
watch-timeout: Time to reach established state (30sec default)
finrst-timeout: Time between reset/FIN-exchange and dropping the connection (5sec default)
connection-timeout: How long will we manage an idle connection (24 hours default)

Show commands:

show tcp intercept connections
show tcp intercept statistics


Mind you that it would be good to first ensure that the source addresses aren’t spoofed, as is often the case with SYN floods, by using:

ip verify unicast source reachable-via [rx|any] [further options available]

CCO Reference

%d bloggers like this: