TCP intercept watches TCP packets to determine whether connections are being requested but not completed.
A Denial-of-Service attack can occur if TCP connections are being requested from an unreachable (or spoofed) source address. The target server is left with an abundance of half-opened connections and will eventually run out of memory.
TCP intercept can operate in intercept mode, where the router actively follows these steps:
The router intercepts the TCP request (SYN) packet from the requester.
The router sends a proxy reply to the requester on behalf of the target server (SYN-ACK).
The router waits for the requester to follow with its acknowledgment (ACK).
If the connection handshaking proceeds this far, the router sends the original request (SYN) to the target server. The router performs a proxy three-way handshake, as if the target were talking to the requester.
The requester and the target server are allowed to carry on a normal TCP connection.
In intercept mode, TCP intercept can become more aggressive when under a DoS attack with a large number of incoming incomplete connection requests . In aggressive mode, each new connection request causes a past incomplete connection to be deleted. The router also reduces the retransmission timeout by half and reduces the amount of time waiting for connections to be established by half.
TCP intercept can also operate in watch mode, where the router passively watches to see if TCP connections become established. If connections are not established within a timeout period, the router sends a TCP reset (RST) to the target server to clear the half- open connection.
Use an extended access list to identify TCP connection requests:
(global) access-list acc-list-number permit tcp any any
-OR-
(global) access-list acc-list-number permit tcp any destination destination-mask
Any condition that is permitted by the access list (numbered 100 to 199) is sent to the TCP intercept software. The source address is always set to any, and the destination address can be any (watch all TCP connection attempts) or to specific destination hosts or networks with the destination destination-mask fields (watch only TCP connection attempts to certain targets).
Trigger TCP intercept with the access list:
(global) ip tcp intercept list acc-list-number
TCP intercept uses an extended IP access list numbered acc-list-number (100 to 199).
Set the TCP intercept mode:
(global) ip tcp intercept mode { intercept watch }
The intercept mode (the default) actively intercepts connection requests and acts as a proxy for both requester and target until the connection can be established. The watch mode passively watches connection requests and resets connections that don't get established.
(Optional) Tune TCP intercept behavior.
Set the drop mode:
(global) ip tcp intercept drop-mode { oldest random }
When TCP intercept becomes aggressive, it begins dropping the oldest (the default) half-open connection as each new connection request comes in. The random keyword can be used instead, causing half-open connections to be dropped at random.
Set the timers.
(Watch mode) Set the watch mode timeout:
(global) ip tcp intercept watch-timeout seconds
If a connection is not established within seconds (greater than 0; the default is 30) of the request, the router sends a reset to the target server.
Set the connection reset hold time:
(global) ip tcp intercept finrst-timeout seconds
The router continues managing a connection seconds (greater than 0; the default is 5) after the FIN handshake or an RST occurs to close the connection.
Set the connection management time:
(global) ip tcp intercept connection-timeout seconds
The router continues managing a connection for seconds (greater than 0; the default is 86,400 seconds, or 24 hours) after there is no activity.
Set the aggressive thresholds.
Set the connection thresholds for aggressive mode:
(global) ip tcp intercept max-incomplete { high low } number
Aggressive mode is triggered when the number of incomplete or half-open connections rises above high number (1 to 2147483647; the default is 1100 connections). Aggressive mode ends when the number of incomplete connections falls below low number (1 to 2147483647; the default is 1100 connections).
Set the connection rates for aggressive mode:
(global) ip tcp intercept one-minute { high low } number
Aggressive mode is triggered when the number of incomplete or half-open connections within the last minute rises above high number (1 to 2147483647; the default is 1100 connections). Aggressive mode ends when the number of incomplete connections per minute falls below low number (1 to 2147483647; the default is 1100 connections).
TCP intercept is configured to manage TCP connection requests to targets in two server farm networks: 192.168.111.0 and 192.168.62.0. Intercept mode is used, and random connections are dropped.
access-list 140 permit tcp any 192.168.111.0 0.0.0.255 access-list 140 permit tcp any 192.168.62.0 0.0.0.255 ip tcp intercept list 140 ip tcp intercept mode intercept ip tcp intercept drop-mode random