How Cisco routers respond to SYN flood attacks

By configuring a Cisco router, You can effectively prevent SYN flood attacks. TCP intercept is used to intercept TCP. Most Cisco router platforms reference this function, its main function is to prevent SYN flood attacks.

SYN attacks use TCP's three-way handshake mechanism. The attack end uses a forged IP address to send a request to the attacked end, and the response packets sent by the attacked end will never be sent to the destination, the attacked end consumes resources while waiting to close the connection. If there are thousands of such connections, the host resources will be exhausted to achieve the purpose of the attack. We can use the TCP Interception Function of the Cisco router to protect hosts on the network. Take the Cisco router as an example ). There are three steps to enable TCP interception:

1. Set the TCP interception Working Mode

TCP Intercept modes include intercept and monitoring. In interception mode, the Cisco router reviews all TCP connections, and the burden on itself increases. Therefore, we generally make the Cisco router work in monitoring mode to monitor the time and number of TCP connections, close the connection if the specified value is exceeded. Format: ip tcp intercept mode (interceptwatch); default value: intercept.

2. Set the access table to enable the host to be protected

Format: access-list [100-199] [denypermit] tcp source-wildcard
Destination-wildcard

For example, to protect the host 219.148.150.126
Access-list 101 permit tcp any host 219.148.150.126

3. Enable TCP Interception

For example, we have two servers 219.148.150.126 and 219.148.150.125 to be protected. You can configure the router as follows:
Ip, tcp intercept list 101
Ip tcp intercept mode watch
........
Ip access-list 101 permit tcp any host 219.148.150.125
Ip access-list 101 permit tcp any host 219.148.150.126

After such configuration, our host is protected to a certain extent.