13-6 Prevent DoS Attacks with TCP Intercept | Cisco Field Manual[c] Router Configuration

TCP intercept watches TCP packets to determine whether connections are being requested but not completed.
A Denial-of-Service attack can occur if TCP connections are being requested from an unreachable (or spoofed) source address. The target server is left with an abundance of half-opened connections and will eventually run out of memory.
TCP intercept can operate in intercept mode, where the router actively follows these steps:
1. The router intercepts the TCP request (SYN) packet from the requester.
2. The router sends a proxy reply to the requester on behalf of the target server (SYN-ACK).
3. The router waits for the requester to follow with its acknowledgment (ACK).
4. If the connection handshaking proceeds this far, the router sends the original request (SYN) to the target server. The router performs a proxy three-way handshake, as if the target were talking to the requester.
5. The requester and the target server are allowed to carry on a normal TCP connection.
In intercept mode, TCP intercept can become more aggressive when under a DoS attack with a large number of incoming incomplete connection requests . In aggressive mode, each new connection request causes a past incomplete connection to be deleted. The router also reduces the retransmission timeout by half and reduces the amount of time waiting for connections to be established by half.
TCP intercept can also operate in watch mode, where the router passively watches to see if TCP connections become established. If connections are not established within a timeout period, the router sends a TCP reset (RST) to the target server to clear the half- open connection.

Configuration

Use an extended access list to identify TCP connection requests:
```
 (global)  access-list   acc-list-number   permit tcp any any  
```
-OR-
```
 (global)  access-list   acc-list-number   permit tcp any   destination   destination-mask  
```
Any condition that is permitted by the access list (numbered 100 to 199) is sent to the TCP intercept software. The source address is always set to any, and the destination address can be any (watch all TCP connection attempts) or to specific destination hosts or networks with the destination destination-mask fields (watch only TCP connection attempts to certain targets).
Trigger TCP intercept with the access list:
```
 (global)  ip tcp intercept list   acc-list-number  
```
TCP intercept uses an extended IP access list numbered acc-list-number (100 to 199).
Set the TCP intercept mode:
```
 (global)  ip tcp intercept mode  {  intercept   watch  } 
```
The intercept mode (the default) actively intercepts connection requests and acts as a proxy for both requester and target until the connection can be established. The watch mode passively watches connection requests and resets connections that don't get established.
(Optional) Tune TCP intercept behavior.
1. Set the drop mode:
```
 (global)  ip tcp intercept drop-mode  {  oldest   random  } 
```
  When TCP intercept becomes aggressive, it begins dropping the oldest (the default) half-open connection as each new connection request comes in. The random keyword can be used instead, causing half-open connections to be dropped at random.
2. Set the timers.
  - (Watch mode) Set the watch mode timeout:
```
 (global)  ip tcp intercept watch-timeout   seconds  
```
    If a connection is not established within seconds (greater than 0; the default is 30) of the request, the router sends a reset to the target server.
  - Set the connection reset hold time:
```
 (global)  ip tcp intercept finrst-timeout   seconds  
```
    The router continues managing a connection seconds (greater than 0; the default is 5) after the FIN handshake or an RST occurs to close the connection.
  - Set the connection management time:
```
 (global)  ip tcp intercept connection-timeout   seconds  
```
    The router continues managing a connection for seconds (greater than 0; the default is 86,400 seconds, or 24 hours) after there is no activity.
3. Set the aggressive thresholds.
  - Set the connection thresholds for aggressive mode:
```
 (global)  ip tcp intercept max-incomplete  {  high   low  }  number  
```
    Aggressive mode is triggered when the number of incomplete or half-open connections rises above high number (1 to 2147483647; the default is 1100 connections). Aggressive mode ends when the number of incomplete connections falls below low number (1 to 2147483647; the default is 1100 connections).
  - Set the connection rates for aggressive mode:
```
 (global)  ip tcp intercept one-minute  {  high   low  }  number  
```
    Aggressive mode is triggered when the number of incomplete or half-open connections within the last minute rises above high number (1 to 2147483647; the default is 1100 connections). Aggressive mode ends when the number of incomplete connections per minute falls below low number (1 to 2147483647; the default is 1100 connections).

Example

TCP intercept is configured to manage TCP connection requests to targets in two server farm networks: 192.168.111.0 and 192.168.62.0. Intercept mode is used, and random connections are dropped.

  access-list 140 permit tcp any 192.168.111.0 0.0.0.255   access-list 140 permit tcp any 192.168.62.0 0.0.0.255   ip tcp intercept list 140   ip tcp intercept mode intercept   ip tcp intercept drop-mode random