Protecting Servers with TCP Intercept

One of the easier attacks to mount is the infamous SYN flood attack, because all the Attacker has to do is send TCP packets with the SYN flag set from randomly generated source IP addresses and this could affect the availability of the services on that host, accomplishing what he set out to do, Denial of Service (DoS). This also comes in a distributed version, DDoS, which is harder to defend against, so much so that Cisco sells products like the Cisco Traffic Anomaly Detectors and Cisco Guard DDoS Mitigation appliances specifically for protecting your network from DDoS attacks.

Cisco ASA devices have a similar connection limit feature that is apart of NAT. But, the scope of this article will only go in to TCP Intercept on the IOS platform.

TCP Intercept works by intercepting the SYN packet of a connection, it will response with a SYN/ACK packet and wait for a ACK packet from the host, if it receives a response it will complete the connection to the protected service. If it doesn’t receive a response from the host that initiated the connection, it drops the connection to the protected service, saving the resources of that host. If you want to learn more about TCP Intercept you can refer to the Cisco article here.

For this post we have a DMZ with 10.1.1.0/24, with a web server on 10.1.1.10.

To configure TCP Intercept you will needed to define an access list that instructs the intercept engine to what traffic to intercept, this access list is much like the access list that defines interesting traffic with VPNs. Generally, the access list should have a source of any and define the specific destination networks and servers.

SC(config)#access-list 101 permit tcp any host 10.1.1.10
SC(config)#ip tcp intercept list 101
SC(config)#ip tcp intercept max-incomplete low 400
SC(config)#ip tcp intercept max-incomplete high 500

This configuration will protect the server 10.1.1.1 from a SYN flood attack. If the incomplete (embryonic) connections reaches max of 500, the router will start to remove incomplete connections, starting with the oldest, until it reaches the low watermark, 400 in the above example.

Now you can add TCP Intercept as another layer in your Defense in depth scheme to help protect your servers from a basic SYN flood attack.

May 29th, 2011 • Posted in Data Plane Protection, IOS, Security
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>