The TCP Intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of denial-of-service attacks.
A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, these connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and causes it to deny service to valid requests, thereby preventing legitimate users from connecting to websites, accessing e-mails, using FTP service, and so on.
The TCP Intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets that match an extended access list from clients to servers. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes a connection with the server on behalf of the client and knits the two half connections transparently. Because of the intercept of SYN packets, connection attempts from unreachable hosts never reach the server. The software continues to intercept and forward packets throughout the duration of the connection. The number of SYN packets per second and the number of concurrent connections that are proxied depends on the platform, memory, processor, and so on.
In case of illegitimate requests, the configured timeouts for half-opened connections and the configured thresholds for TCP connection requests protect destination servers while still allowing valid requests.
When establishing a security policy using TCP intercept, you can choose to intercept either all requests or only those coming from specific networks or destined for specific servers. You can also configure the connection rate and the threshold for outstanding connections.
You can choose to operate TCP intercept in watch mode, as opposed to intercept mode. In watch mode, the software passively watches the connection requests flowing through a router. If a connection fails to get established in a configured interval, the software intervenes and terminates the connection attempt.
TCP Intercept and Watch Modes
The TCP Intercept feature can operate in either active intercept mode or passive watch mode. The default is intercept mode.
In intercept mode, the software actively intercepts each incoming connection request (SYN) and responds on behalf of the server with a SYN-ACK, then waits for an acknowledge (ACK) from the client. When the ACK is received, the original SYN is sent to the server and the software performs a three-way handshake with the server. When the three-way handshake is complete, the two half connections are joined.
In watch mode, connection requests are allowed to pass through the router to the server but are watched until they become established. If connection requests fail to establish within 30 seconds (configurable by using the
watch-timeout command), the software sends a reset request to the server to clear up its state.
TCP Intercept Timers and Aggressive Thresholds
In the TCP Intercept feature, two factors determine when the aggressive behavior begins and ends: total number of incomplete connections and connection requests during the last one-minute sample period. Both these thresholds have default values that can be redefined. Use the
ip tcp intercept max-incomplete and
ip tcp intercept one-minute
commands to configure aggressive thresholds.
When a threshold is exceeded, the TCP intercept assumes that the server is under attack and goes into aggressive mode. In aggressive mode, the following occurs:
Each newly arriving connection causes the oldest partial connection to be deleted. (You can change this setting to a random drop mode.)
The initial retransmission timeout is reduced by half to 0.5 seconds, which cuts the total time to establish a connection by half. (When not in aggressive mode, the initial retransmission timeout is 1 second. The subsequent timeouts are 2 seconds, 4 seconds, 8 seconds, and 16 seconds. The code retransmits four times before giving up, so it gives up after 31 seconds of no acknowledgment.)
In watch mode, the watch timeout is reduced by half. (If the default is in place, the watch timeout becomes 15 seconds.)
The drop strategy can be changed from the oldest connection to a random connection by using the
drop-mode random command.
ip tcp intercept max-incomplete command
to change the threshold for triggering aggressive mode based on the total number of incomplete connections. The default values for
high are 900 and 1100 incomplete connections, respectively.
ip tcp intercept one-minute
command to change the threshold for triggering aggressive mode based on the number of connection requests received in the last one-minute sample period. The default values for
high are 900 and 1100 connection requests, respectively. When the
high value is exceeded, the aggressive behavior begins. When quantities fall below the
low value, the aggressive behavior ends.