The TCP intercept and unicast reverse path forwarding features of the IOS enable you to configure some basic security against two types of denial-of-service attacks: TCP SYN flooding and source IP address forgery.
A denial-of-service (DoS) attack is one in which a hacker overwhelms a network resource with traffic intended not to harm data, but to utilize enough resources on the network resource so that it cannot perform its intended function. For example, a TCP SYN (synchronization) flood attack occurs when a hacker floods a server with a large number of TCP SYN requests (used to initiate a TCP connection) from an invalid source IP address. Each of these requests has an unreachable source IP address that means that the connections cannot be established. The large number of open connections that are not established overwhelms the server and can cause it to deny service to valid requests, denying users from connecting to the server and performing their desired tasks .
The TCP intercept feature helps prevent SYN flooding by intercepting and validating TCP connection requests as they pass through a router. You can have the TCP intercept feature intercept incoming TCP SYN messages or watch TCP connections as the router forwards them.
In intercept mode, the router actively intercepts each incoming TCP SYN and answers for the actual destination server with a TCP ACK and a SYN. This is the first step in a standard TCP connection establishment process called a three-way handshake. The router then waits for a TCP ACK of the second TCP SYN from the source. When that ACK is received, the router has set up a valid TCP connection with the source and has completed the three-way handshake. Next, the router sends the original TCP SYN to the actual destination server and performs a second three-way handshake. The router then joins the two TCP connections transparently , forwarding packets between the two TCP connections throughout the life of the connection.
In intercept mode, the TCP intercept feature helps to prevent the TCP SYN DoS attack because packets from an unreachable host will never reach the destination server. You can configure the router to intercept requests based on an IP extended access list, allowing you to specify which requests the router should intercept.
As an alternative to intercepting each TCP connection, you can have the TCP intercept feature watch connection requests as they are forwarded by the router. If a TCP connection fails to initiate in a configurable interval, the IOS software will then intercept and terminate the connection attempt.
You configure the TCP intercept feature using the IOS global configuration command ip tcp intercept mode. The global configuration command ip tcp intercept list assigns an IP extended access list for specifying which requests the router should intercept. The ip tcp intercept watch-timeout command specifies the number of seconds that the router should allow before resetting a TCP connection that has not completed a valid three-way handshake with the destination server. By default, a router will reset a TCP connection if a three-way handshake does not complete in 30 seconds. In the following example, the SF-Core-1 router is configured to watch all TCP connections from network 22.214.171.124 and to reset connections that are not established after 15 seconds:
SF-Core-1# configure Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line. End with CNTL/Z. SF-Core-1(config)# access-list 120 permit ip any 126.96.36.199 0.0.255.255 SF-Core-1(config)# ip tcp intercept mode watch SF-Core-1(config)# ip tcp intercept list 120 SF-Core-1(config)# ip tcp intercept watch-timeout 15 SF-Core-1(config)#^ Z
The EXEC command show tcp intercept connections displays all incomplete and established TCP connections. The show tcp intercept statistics EXEC command shows you statistics about the behavior of the TCP intercept feature.
Unicast Reverse Path Forwarding
The unicast reverse path forwarding (RPF) feature can help prevent the source IP address forgery (sometimes called IP spoofing) DoS attack. The source IP address forgery attack uses malformed source IP addresses or a rapidly changing source IP to attack a network. If your network is being attacked by a malformed source IP address or a set of rapidly changing source IP addresses, it could be impossible to configure an IP access list to stop the attack.
The unicast RPF feature is available on your IOS device only if you are using Cisco Express Forwarding (CEF). CEF is an advanced mechanism used to forward packets and to build IP routing tables. At this time, CEF operates only on certain high-end IOS devices.
The unicast RPF feature helps to solve this by automatically discarding IP packets that do not have a verifiable source IP address. The router verifies a source IP addresses by looking at all packets received on an interface to make sure that the source address and source router interface appear in the IP routing table and match the interface on which the packet was received. The received route and the route backward as seen in the routing table to the source IP address must be symmetrical. A route is symmetrical if a packet arrives at a router interface on one of the best return paths to the source of the packet, not limited to the exact source router interface, allowing you to use routing techniques such as equal-cost load balancing.
If there is no reverse path route on the same source interface or return path from which the packet was received, it might mean that the source address was modified or forged, and the packet is discarded. Verifying that the source IP address is reachable via the reverse path on which the packet will be forwarded helps prevent source IP address forgery.
The unicast RPF feature can be used in any network configuration in which there is a single path of connectivity from the network. When you have a single path of connectivity, even with multiple load-shared paths, the network routing is nearly always symmetrical. This configuration often occurs at the upstream network exit point to the Internet. You should not use the unicast RPF feature on your internal network when multiple diverse routes exist to IP destinations.
The configuration of the unicast RPF feature is done via a single interface subcommand, ip verify unicast reverse-path. In a common environment, you would apply this command only on the upstream interface (or interfaces in a load-sharing environment) on your router that connects to the Internet.