Configuring TCP interception on Cisco routers

Let's review the TCP content in my previous "established options in ACL".




As
said before, TCP establishes a connection in the three-time handshake process, the first message sent by the other party sets the SYN bit, when a device receives the initial message of a request service, the device responds to the message, sends back a message with the SYN and ACK bits set, and waits for an ACK response from the source. Then, if the sender does not reply to an ACK, the host will end the connection because of the timeout. When the host is waiting for the connection to timeout, the connection is in the Half-open (Half-open) state, and the Half-open connection consumes the host's resources. A SYN attack occurs when a host resource is exhausted while waiting for a three handshake, especially if thousands of SYN are sent to a host, and the host will soon crash.





at this point I need to configure TCP blocking (TCP intercept) on the router to prevent this attack.





TCP interception is prevented by blocking and validating a TCP connection request before it reaches the target host, that is, the router is connected in lieu of the host.





TCP Blocking (TCP intercept) can work in two modes: interception and monitoring. In interception mode (intercept mode), the router intercepts all incoming T C P synchronization requests, establishes a connection to the client on behalf of the server, and establishes a connection to the server on behalf of the client. If all two connections are successfully implemented, the router merges the two connections transparently. Routers have more stringent time-out limits to prevent their own resources from being depleted by S Y N attacks. In monitoring mode (watch mode), the router passively observes the number of half-open connections. If the configured time is exceeded, the router also closes the connection. ACLs are used to define the source and destination addresses for TCP interception. Www.3lian.com





Basic configuration command:





IP tcp intercept mode {Intercept/watch} ' sets the working mode for TCP blocking, which is intercept by default.




The
IP TCP intercept list ACL number ' calls an ACL (extended) to define the source and destination addresses for TCP interception.





Other Commands:





when a router confirms that the server is under attack because its defined threshold is exceeded, the router actively deletes the connection until the Half-open connection value drops below the threshold value. The default shutdown is the oldest connection, unless you use the IP TCP intercept drop-mode random command (randomly shutting off half-open connections). When the threshold set is timed out, the router does the following action:





1 Each new connection causes one of the earliest (or random) connections to be deleted.





2 The initial retransmission timeout period is reduced by half until 0.5 seconds.





3) If in watch mode, the timeout time is halved until 15 seconds.





has two factors to determine whether a router is under attack. If one of the two gate limits is exceeded, the router is being attacked until the threshold value has fallen below two low thresholds. The relevant parameters and their default values are shown below, and they are described briefly.





1) IP TCP intercept max-incomplete high number 1100





the maximum number of half-open connections that can exist before the router begins to delete the connection.





2) IP TCP inercept max-incomplete low number 900





the maximum number of half-open connections that can exist before the router stops removing Half-open connections.





3) IP TCP intercept one-minute high number 1100





the maximum number of half-open connections that could exist per minute before the router begins to delete the connection.





4) IP TCP intercept one-minute low number 900





The number of minimum half-open connections that could exist per minute before the router stops deleting connections.




The total number of
half-open connections is associated with the quantity ratio of half-open connections per minute. When any one of the maximum values arrives, the T C P intercept is activated and the Half-open connection begins to be deleted. Once TCP interception is activated, both values must descend to a low set value of TCP interception to stop the deletion of the connection.





Note:




In
interception mode, the router responds to the incoming SYN request and instead sends a SYN, ACK message that responds to the initial source IP address, and then waits for the client's ACK. If you receive an ACK, and then send the original SYN message to the server, the router in lieu of the original client and the server to complete the handshake process three times. This pattern increases the extra overhead of the router's memory and CPU, and increases the latency of some initial sessions.





in monitoring mode, the router allows SYN requests to reach the server directly.





if the session is not established within 30 seconds (the default), the router sends a RST to the server to clear the connection.