O'Reilly logo

Cisco IOS Cookbook, 2nd Edition by Ian Brown, Kevin Dooley

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Stopping Denial of Service Attacks

Problem

You want to mitigate Denial of Service attacks by throttling half-open TCP connections.

Solution

You can configure a router to protect your servers against TCP SYN attacks by enabling the ip tcp intercept command:

Router1#configure terminal
Router1(config)#access-list 109 permit ip any host 192.168.99.2
Router1(config)#ip tcp intercept list 109
Router1(config)#ip tcp intercept max-incomplete high 10
Router1(config)#ip tcp intercept one-minute high 15
Router1(config)#ip tcp intercept max-incomplete low 5
Router1(config)#ip tcp intercept one-minute low 10
Router1(config)#end
Router1#

Discussion

This feature allows the router to take an active role in managing the TCP session initiation between a client and server. In the normal TCP call setup procedure, a client device sends a TCP SYN packet to start the session. The server then responds with a SYN-ACK, and the client’s next packet simply has the ACK flag set. Then the Layer 7 application information can start to flow. A relatively common denial of service attack involves sending large numbers of SYN packets, but never actually starting the session. This can fill up the server’s connection table with these so-called “half-open” TCP sessions, and eventually prevents any legitimate sessions from starting.

However, when you enable the TCP Intercept feature, the router doesn’t forward the initial SYN packet to the server. Instead, it responds directly to the client with a SYN-ACK packet, as if it were ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required