TCP Intercept
TCP Intercept tracks, intercepts, and validates TCP connection requests. This shields the local host from being contacted directly by a nontrusted network or host. Therefore, any DoS attacks attempted on the host are actually carried out against the router, which will be prepared to survive such attacks. TCP Intercept uses fast switching, except on the RS/RP/SSP-based Cisco 7000 series, which only uses process switching.
TCP Intercept operates in one of two modes, monitor mode and intercept mode. Monitor mode allows connections directly to the local host while monitoring the status of these connections. The router, because of the number of open connections or timeout limitations, drops existing and partially opened connections as needed to protect the local host. Intercept mode is used to protect the local host from all direct contact with the remote host. The router, acting in a manner similar to that of a proxy server, responds to requests from the remote host. The router then establishes its own connection with the local host and merges the connections between the two hosts. Figure 2-13 shows a router acting in intercept mode.
Figure 2-13. IP TCP Intercept
Exceeding preset thresholds in either mode causes aggressive behavior mode to start. Dropping back below another set of thresholds causes the router to move back to normal. During aggressive behavior mode, new connection attempts force a drop of an existing partial connection. Additionally, the retransmission and watch timeouts are cut in half.
TCP Intercept is relatively easy to configure by a five-step process:
Step 1. |
Create an intercept access list. |
Step 2. |
Enable TCP Intercept. |
Step 3. |
Set intercept mode. |
Step 4. |
Set thresholds. |
Step 5. |
Set drop mode. |
The following example configuration shows how to accomplish all of these tasks and gives comments on parameters available:
!Create an extended access list. !TCP Intercept access lists must be extended access lists (101–199). access-list 101 permit 172.30.1.15 255.255.255.255 host 10.1.1.1 !Allow access from the single host at 172.30.1.15 to the single host at 10.1.1.1. access-list 101 permit 172.30.2.0 255.255.255.0 host 10.1.1.2 !Allow any host on the 172.30.2.0 network to get to host 10.1.1.2. ! !Enable TCP Intercept. ip tcp intercept list 101 !Starts IP Intercept for the hosts listed as permitted in access list 101. ! !Set the intercept mode. ip tcp intercept mode intercept !Sets the mode to intercept. The other possible mode is watch. ! !Set the thresholds. ip intercept connection-timeout 3600 !Connections will be reset after 3600 seconds (1 hour) of no activity. !The default is 86400 seconds (24 hours). ! ip tcp intercept finrst-timeout 3 !Sets the time in seconds (3) after receiving a reset or FIN that the connection !remains managed. The minimum is 1 second. The default is 5 seconds. ! ip tcp intercept max-incomplete high 900 !Sets the maximum number of half-open connections (900) before the router goes !into aggressive behavior mode. The default is 1100. The maximum is 2147483647. !The minimum is 1. ! ip tcp intercept max-incomplete low 700 !Sets the number of half-open connections (700) below which the router leaves !aggressive behavior mode. The default is 900. The maximum is 2147483647. !The minimum is 1. ! ip tcp intercept one-minute high 800 !Sets the maximum number of connection requests (800) that may be received in a !one-minute period before the router goes into aggressive behavior mode. !The default is 1100. The maximum is 2147483647. The minimum is 1. ! ip tcp intercept one-minute low 600 !Sets the number of connection requests (600) that may be received in a !one-minute period below which the router leaves aggressive behavior mode. !The default is 900. The maximum is 2147483647. The minimum is 1. ! ip tcp intercept watch-timeout 20 !Sets the time in seconds (20) for a partially opened connection to complete !the connection sequence before sending a reset command to the local host. ! !Set the drop mode. ip tcp intercept drop-mode random !Sets the drop mode (random) to randomly choose which half-open connection !while in aggressive behavior mode. The default (oldest) will drop the oldest !partial connection first.