Saturday, February 14, 2015

TCP Intercept-"Protecting servers and other resources from Denial-of-Service (DoS) attacks"

TCP Intercept was developed to protect servers and other resources from Denial-of-Service (DoS) attacks, specifically TCP SYN attacks.

Just as the name says, TCP Intercept captures incoming TCP requests. Instead of allowing direct access to the server, TCP Intercept acts as an intermediary, establishing a connection to the server on behalf of the requesting client.

TCP Intercept will block a client if too many incoming connections are attempted.

To configure TCP Intercept, the desired traffic to be monitored must be identified. Traffic can be monitored from a certain address or network, to a certain address or network, or both.

TCP Intercept can operate in one of two modes:

Router(config)# ip tcp intercept mode intercept

Router(config)# ip tcp intercept mode watch

In intercept (the default) mode, the router will actively capture TCP connections, and act as the buffer between the client and the server. To adjust how long TCP Intercept will manage a connection after no activity:

Router(config)# ip tcp intercept connection-timeout 1800

In watch mode, TCP connections pass through the router to the server, but are “observed” by the router. If a connection is not established within 30 seconds (by default), the router send a reset to the server to close down the session. This watch timer is configurable:

Router(config)# ip tcp intercept watch-timeout 15

If the number of connections exceeds the high threshold (1100 by default), TCP Intercept will begin aggressively dropping connections. By default, TCP Intercept will drop the oldest connections first, but can be configured to drop connections randomly instead:

Router(config)# ip tcp intercept drop-mode random

Router(config)# ip tcp intercept drop-mode oldest

TCP Intercept will stop dropping connections once the number falls below the low threshold (900 by default). To configure the thresholds:

Router(config)# ip tcp intercept max-incomplete low 600

Router(config)# ip tcp intercept max-incomplete high 800

To troubleshoot TCP Intercept:

Router# show tcp intercept connections

Router# show tcp intercept statistics  

Example

 

Host_1

int  f0/0
ip add 101.1.1.100 255.255.255.0
no shut
exit

router ei 100
no auto-summary
network 0.0.0.0
exit
Interceptor

int f0/0
ip add 101.1.1.1 255.255.255.0
no shut
exit

int f0/1
ip add 101.1.2.1 255.255.255.0
no shut
exit

router ei 100
no auto-summary
network 0.0.0.0
exit
Host_2

int  f0/0
ip add 101.1.2.100 255.255.255.0
no shut
exit

router ei 100
no auto-summary
network 0.0.0.0
exit

line vty 0 4
no login
exit

enable password cisco

username cisco password cisco

line vty 0 4
login local
exit
(Note: verify telnet form Host_1)

Interceptor

ip tcp intercept mode intercept

ip access-list extended 101
permit tcp any any
exit

ip tcp intercept list 101

debug ip tcp intercept

(Note: verify tcp packet through Intercept during telnet.)

ip access-list extended 102
deny tcp any any established
permit ip any any
exit

int f0/0
ip access-group 102 in

(Note: again verify tcp packet through Intercept during telnet.)

show tcp intercept connections

no ip tcp intercept mode intercept

ip tcp intercept mode watch

show tcp intercept connections

ip tcp intercept max-incomplete high 101
ip tcp intercept max-incomplete low 100


Reference: Nextlab.com

No comments:

Post a Comment