logo

Cisco TCP Intercept

en January 03 , 2018
TCP intercept is used to prevent SYN flood attacks (DoS – Denial of Service).
In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server.
In watch mode, the software passively watches the connection requests flowing through the router. If a connection fails to get established in a configurable interval, the software intervenes and terminates the connection attempt.
TCP options that are negotiated on handshake (such as RFC 1323 on window scaling) will not be negotiated because the TCP intercept software does not know what the server can do or will negotiate.
Follow the following steps to configure TCP intercept:
Optionally:
drop-mode: Default is oldest (FIFO)
watch-timeout: Time to reach established state (30sec default)
finrst-timeout: Time between reset/FIN-exchange and dropping the connection (5sec default)
connection-timeout: How long will we manage an idle connection (24 hours default)
Show commands:
show tcp intercept connections
Mind you that it would be good to first ensure that the source addresses aren’t spoofed, as is often the case with SYN floods, by using:
© Copyright 2020 PA2JFX      Hosted by Strato B.V.