Configure TCP Interception on the Cisco Router.

CCNA 200-301

CCNA 200-301

CCNP Enterprise

CCNP Enterprise

CCNP Security

CCNP Security

CCIE Enterprise Lab

CCIE Enterprise Lab

CCIE Security Lab

CCIE Security Lab

CCNP Service Provider

CCNP Service Provider

CCNP Data Center

CCNP Data Center

CCNP Collaboration

CCNP Collaboration

CCIE DC Lab

CCIE DC Lab

ic_r
ic_l
Configure TCP Interception on the Cisco Router.
images

SPOTO stands for Service, Professional, Outstanding, Teamwork and Obtain. SPOTO is dedicated to providing best Service, with Professional and Outstanding Teams to help members Obtain IT certifications and cutting-edge technology.

During the three-way handshake process in which the TCP establishes a connection, the first message sent by the other party sets the SYN bit. When a device receives an initial message requesting the service, the device responds to the message and sends back a message. Set the SYN and ACK bits of the message and wait for the ACK response from the source. Then, if the sender does not reply with an ACK, the host will end the connection due to a timeout. When the host is waiting for this connection to time out, the connection is in a half-open state, and the half-open connection consumes the host's resources. After waiting for the three-way handshake, the host resources are exhausted to form an SYN attack. In particular, if thousands of SYNs are sent to a host, the host will crash quickly.

At this point, I need to configure TCP intercept on the router to prevent this attack.

Before the TCP connection request reaches the target host, TCP interception blocks the attack by intercepting and verifying it, that is, the router will connect instead of the host.

TCP intercept can work in two modes: interception and monitoring. In intercept mode, the router intercepts all arriving T C P synchronization requests and establishes a connection with the client on behalf of the server and establishes a connection with the server on behalf of the client. If both connections are successfully implemented, the router will transparently merge the two connections. Routers have stricter timeout limits to prevent their own resources from being exhausted by SYN attacks. In watch mode, the router passively observes the number of half-open connections. If the configured time is exceeded, the router will also close the connection. ACL is used to define the source and destination addresses for TCP interception.

Basic configuration commands:

Ip TCP intercepts mode {intercept/watch} Sets the working mode of TCP interception. The default is intercepted.

Ip TCP intercept list ACL number The ACL (extended) is used to define the source and destination addresses for TCP interception.

Other orders:

When a router confirms that the server is under attack because its defined threshold is exceeded, the router actively deletes the connection until the half-open connection value falls below the threshold. The oldest connection is closed by default unless the "IP TCP intercept drop-mode random" command is used (the half-open connection is closed randomly). When the set threshold is timed out, the router performs the following actions:

1) Each new connection causes an oldest (or random) connection to be deleted.

2) The initial retransmission timeout is reduced by half to 0.5 seconds.

3) If in monitor mode, the timeout period is halved until 15 seconds.

There are two factors that determine if a router is under attack. If one of the two high thresholds is exceeded, the router is under attack until the threshold has fallen below the two low thresholds. The relevant parameters and their default values are shown below and are briefly described.

1) IP TCP intercept max-incomplete high number 1100

The maximum number of half-open connections that can exist before the router begins to delete the connection.

2) IP TCP intercept max-incomplete low number 900

The maximum number of half-open connections that can exist before the router stops deleting the half-open connection.

3) IP TCP intercept one-minute high number 1100

The maximum number of half-open connections that can exist per minute before the router begins to delete connections.

4) IP TCP intercept one-minute low number 900

The minimum number of half-open connections that can exist per minute before the router stops deleting connections.

The total number of half-open connections is related to the number of half-open connections per minute. When any of the maximum values arrive, the T C P interception is activated and begins to delete the half-open connection. Once TCP interception is activated, both values must fall to the low set value of TCP interception in order to stop deleting the connection.

Note:

In the intercept mode, the router responds to the arriving SYN request and sends an SYN, ACK message in response to the initial source IP address instead of the server, and then waits for the client's ACK. If an ACK is received, the original SYN packet is sent to the server, and the router replaces the original client with the server to complete the three-way handshake process. This mode increases the router's memory and CPU overhead and adds some initial session latency.

In monitor mode, the router allows SYN requests to reach the server directly.

If the session is not established within 30 seconds (the default), the router sends an RST to the server to clear the connection.