HOW DOES INTERNET WORK

ARTICLES × ABOUT THIS PROJECT ×

ABOUT THIS PROJECT ROUTING NETWORK VIRTUALIZATION

IPV6 SECURITY ( VOICE AND SECURITY CONFIGURE

PROTOCOLS FUNDAMENTALS

ALL ARTICLES IN ONE

 Home Ú Networking Ú Configuration Ú Router Config
PLACE
Ú Mitigate DoS Attack using TCP Intercept on Cisco Router

Mitigate DoS Attack

Search the site
using TCP Intercept on
Cisco Router
Search

 Valter Popeskic , Router Config, Security † No

Comments
CATEGORIES
This is really cool feature on Cisco router not usually
◾ Networking (211)
mentioned until you dig a little deeper inside Cisco IOS. But
◾ Application layer
first a bit of theory…
(22)

WHAT IS TCP SYN FLOOD ATTACK ◾ Configuration (41)

◾ Router Config (9)
TCP 3-WAY HANDSHAKE ◾ Data link layer (9)
SYN flood DoS attack happens when many sources start to ◾ Equipment and
send a flood of TCP SYN packets usually with fake source tools (24)
IP. ◾ IPv6 (13)

This attack uses TCP 3-way handshake to reserve all server ◾ Multicast (4)
available resources with fake SYN requests not allowing ◾ Network
legitimate users to establish connection to the server. SYN Fundamentals (18)
packet is the first step in TCP 3-way handshake. This is the
◾ Network layer (6)
step where client sends connection synchronization
request to the server. Server receives TCP SYN from client,
the server replies back with SYN ACK. SYN ACK ◾ Network
acknowledges synchronization request. Virtualization (2)
◾ Physical layer (2)
In that moment server is waiting the client to complete the
handshake by sending an ACK back to server to ◾ Presentation layer
acknowledge the SYN ACK. With this third step, TCP (1)
session is successfully established and communication ◾ Protocols (9)
between server and client begins. ◾ Routing (25)

If the ACK is not received from the client side, server will ◾ Security (39)
wait for it for some time and then the session will timeout ◾ Security – layer 2
and get dropped. When the server deletes the session, his (17)
resources will be released.
◾ Session layer (2)
◾ Switching (19)
TCP SYN FLOOD ATTACK
◾ Transport layer (8)
TCP SYN flood attack sends first packet of 3-way
◾ Troubleshooting (4)
handshake SYN packet to server many times to cause the
server to allocate resources for sessions that will never ◾ VoIP – Voice over IP
become established. It means that client who is attacking (11)
will never respond to server SYN ACK and the session will ◾ Scientific & Academic
remain on the second step of 3-way. (7)

Sending thousands of TCP SYN packets per second to the ◾ Word from the author
server with fake source IP and even from different locations (15)
is making the server really busy. Server will not know which
SYN packets are real and which are fake. He will reply with
SYN ACK to every SYN packets and allocate resources for
the anticipated TCP session.

SYN Flood

After huge number of SYN packets, server will run out of

resources to allocate additional TCP sessions. Server is
keeping thousands of half-open TCP sessions waiting to
timeout after failing to receive the ACK from the client.
Because most of resources of the server are used to reply
to the SYN packets, legitimate users will not be able to
establish a TCP session with the server.
Server will work but it will appear to be down. Website
running the application which clients are trying to access
will not work at all.

TCP INTERCEPT
In small networks where you don’t have a dedicated DDoS
box or some outside DDoS protection service, TCP Intercept
is a great and simple tool to use directly on the router. If you
are experiencing DoS attack to some of your internal
equipment this is the fastest way to get rid of it.

TCP Intercept is easy to configure and works really good

against simple SYN flood attacks. It can basically just help
you to get rid of some simple flood attacks towards you
network without implementing fancy and costly DDoS
defense solution.

Here is as complicated as it gets:

access-list 101 permit ip any 192.168.11.0 0.0.0.255

ip tcp intercept list 101
ip tcp intercept connection-timeout 15
ip tcp intercept max-incomplete low 100 high 200
ip tcp intercept one-minute low 60 high 120
ip tcp intercept drop-mode random

In the config above, the router will be configured to:

BLOGROLL
Protect web servers on subnet 192.168.11.0/24 from a SYN
flood attack by intercepting connections and close them ◾ IPSpace.net Ivan
after 15 seconds if inactive. An access-list is used to restrict Pepelnjak’s great
“watched” host to only one subnet. Without ACL, the router networking blog
will track all traffic for TCP SYN flood. ◾ Networkingwithfish.com
Denise “Fish”
In our example, line 4 is showing that maximum number of
Fishburne will give
semi-established connections threshold is set to 200 and
you large amounts of
they are dropped down to 100 when the threshold is
networking
crossed. On line 5, router is configured to start dropping
knowledge there
half-open sessions when they cross the rate threshold of
two connection per second (120 connections in one minute ◾ Welchlabs math
= 2 connections per 1 second). The router should not stop video blog Super
until the average rate is under one per minute. On line 6, interesting thing to
router should not take into account connection age when get through
deciding which connections to drop first. It needs to do it ◾ Khanacademy.org If
randomly in our case. Otherwise, it can be configured to your math is good as
drop packets by dropping older connections first. mine, this is the right
plase to visit :)
◾ CiscoLive365 If you
want to enjoy huge
TCP INTERCEPT MODE amount of info from
Cisco conferences
You can configure TCP intercept in two modes: Intercept from your couch
mode and Watch mode.
◾ Blog Webernetz.net
Intercept mode actively intercepts the TCP sessions and is Great blog about all
acting like a proxy. Intercept mode is default so we didn’t things networking and
use “Router(config)#ip tcp intercept mode intercept” in the beyond
example above.

In watch mode, router only monitors TCP sessions. When a

session doesn’t reach established state within 30 seconds WE SPEAK
by default or 15 seconds in our case (config above, line 3),
ABOUT
router will send an RST to the server. Server will then
release allocated resources for that connection by closing address arp bgp
it.
ccie cdp cisco

If we wanted to use watch mode, it was because we configuration

wanted TCP sessions to be tracked and not proxied, we DDoS dhcp DoS
would use a simple config as this below to enable watch
firewall FTP
mode:
gns3 hardware
internet IP
ip tcp intercept mode watch
ip tcp intercept watch-timeout 20 ip address IPv6
juniper lab LAN
With watch mode, router will only monitor TCP sessions
and it will not proxy them. Using TCP RST packet sent to layer 4 multicast
internal server for TCP sessions that do not become network packet
established within 15 seconds flood protection is still protocol route
possible.
router routing
Watch mode is better. Router in Intercept mode needs to security server
terminate all connections and it will then become the Switch switching
weak link in SYN flood attack. It happens because router
TCP TCP/IP tftp
with limited resources is not able to handle all SYN
requests in a flood which he needs to terminate and then tunneling tw
proxying them to server. UDP virtualization
vlan voice over IP
With Watch mode you will not take the DoS attack and
terminate it on the router itself like you would do in VoIP VPN web
Intercept mode. With Intercept mode you are risking to get
your router resources drained and cause router reboot. In
that way you are actually making SYN flood attack
successful. GET NEW STUFF
FIRST
Email Address