During the TCP three-way handshake to establish a connection, the first packet one party sends to the other has the SYN bit set. When a device receives an initial packet requesting a service, it responds with a packet that has both the SYN and ACK bits set, then waits for the ACK reply from the source. If the sender does not reply with an ACK, the host will terminate the connection due to a timeout. While the host is waiting for this connection to time out, the connection remains in a half-open state, which consumes the host’s resources. Exhausting the host’s resources during the three-way handshake process constitutes a SYN attack. Especially when a flood of SYN packets is sent to a target host, that host will quickly crash.
TCP Intercept prevents such attacks by intercepting and validating TCP connection requests before they reach the destination host. In other words, the router establishes the connection on behalf of the server. This is when you need to configure TCP Intercept on the router to defend against this type of attack.
TCP Intercept can operate in two modes: intercept and watch. In intercept mode, the router intercepts all incoming TCP synchronization requests, establishes a connection with the client on behalf of the server, and establishes a connection with the server on behalf of the client. If both connections are successfully implemented, the router transparently merges them. The router has stricter timeout limits to prevent its own resources from being exhausted by a SYN attack. In watch mode, the router passively observes the number of half-open connections. If a configured threshold is exceeded, the router will also close the connection. ACLs are used to define the source and destination addresses subject to TCP interception.
Basic Configuration Commands:
ip tcp intercept mode{intercept/watch} Sets the TCP Intercept operating mode. The default is intercept.
ip tcp intercept list ACL-number Calls an ACL (extended) to define the source and destination addresses subject to TCP interception.
When a router determines that a server is under attack because the defined thresholds have been exceeded, it aggressively deletes connections until the number of half-open connections drops below the threshold. By default, the oldest connection is closed unless the “ip tcp interceptdrop-mode random” command is used (randomly closes a half-open connection). When the set thresholds are exceeded, the router takes the following actions:
1) Each new connection causes the oldest (or a random) connection to be deleted.
2) The initial retransmission timeout is reduced by half, down to a minimum of 0.5 seconds.
3) If in watch mode, the timeout is reduced by half, down to a minimum of 15 seconds.
Two factors determine whether the router is under attack. If either of the two high thresholds is exceeded, the router is considered to be under attack until the values drop below both of the low thresholds. The relevant parameters, their default values, and a brief description are shown below.
1) ip tcp intercept max-incomplete high number 1100
The maximum number of half-open connections allowed before the router starts deleting connections.
2) ip tcp inercept max-incomplete low number 900
The maximum number of half-open connections allowed before the router stops deleting half-open connections.
3) ip tcp intercept one-minute high number 1100
The maximum number of half-open connections allowed per minute before the router starts deleting connections.
4) ip tcp intercept one-minute low number 900
The minimum number of half-open connections allowed per minute before the router stops deleting connections.
The total number of half-open connections and the rate of half-open connections per minute are correlated. When either maximum value is reached, TCP Intercept is activated and begins deleting half-open connections. Once TCP Intercept is activated, both values must drop below the TCP Intercept low thresholds in order to stop deleting connections.
Note:
In intercept mode, the router responds to incoming SYN requests and sends a SYN-ACK packet back to the originating source IP address on behalf of the server, then waits for the client’s ACK. If an ACK is received, the original SYN packet is forwarded to the server, and the router completes the three-way handshake with the server on behalf of the original client. This mode adds extra memory and CPU overhead to the