Cisco router security-TCP connections are common attacks on the network. In fact, most attacks are based on TCP connections, and a large amount of request data is sent to cause Server Denial of Service, is a connection attack. Next, I will take a Cisco router as an example to introduce how to intercept illegal TCP connections. In the so-called three-way handshake of TCP connection, the first packet sent by one party to the other sets the SYN bit. When a device receives the initial packet of a request service, the device sends back a packet with SYN and ACK bits and waits for the ACK response from the source.
Before TCP connection requests reach the target host, TCP interception blocks and verifies the requests to prevent such attacks. That is to say, the Cisco router will replace the host for connection, in this case, you need to configure TCP intercept on the Cisco router to prevent such attacks. Www.2cto.com 1. In interception mode, the Cisco Router intercepts all TCP synchronization requests, establishes a connection with the client on behalf of the server, and establishes a connection with the server on behalf of the client, if both connections are successfully implemented, the Cisco router will transparently merge the two connections. The router has more strict timeout restrictions to prevent its own resources from being exhausted by SYN attacks.
2. In monitoring mode, the Cisco router passively observes the number of half-open connections. If the number of half-open connections exceeds the configured time, the Cisco router also closes the connection, ACL is used to define the Source and Destination addresses for TCP interception. (1) ip tcp intercept mode: sets the TCP intercept working mode. The default value is intercept. (1) ip tcp intercept list ACL number is used to call the ACL to define the source and target addresses for TCP intercept; (1) When a vro determines that the server is under attack because its defined threshold value is exceeded, the vro actively deletes the connection, until the half-open connection value falls below the threshold value, the oldest connection is closed by default, unless ip tcp interceptdrop-mode random is used.
3. When the threshold value is set to time out, the Router performs the following action (1) each new connection causes the deletion of one of the earliest (or random) connections; (2) the initial Retransmission timeout time is reduced by half until 0.5 seconds. (3) If it is in monitoring mode, the timeout time is halved until 15 seconds.
4. This is used to determine whether a vro is under attack. If one of the two high-threshold values is exceeded, it indicates that the vro is under attack, the related parameters and their default values are shown below www.2cto.com until the threshold value has been reduced to two low thresholds and are briefly described (1) ip tcp intercept max-incomplete high number 1100 the maximum number of half-open connections that can exist before the vro begins to delete the connection. (2) ip tcp inercept max-incomplete low number 900 maximum number of half-open connections before the vro stops deleting the half-open connection. (3) ip tcp intercept one-minute high number 1100 maximum number of half-open connections per minute before the vro begins to delete the connection; (4) ip tcp intercept one-minute low n The minimum number of half-open connections per minute before the vro stops deleting a connection.
The total number of half-open connections is related to the number of half-open connections per minute. When any maximum value reaches, TCP blocking is activated and half-open connection is deleted. Once the TCP interception is activated, both values must be dropped to the low setting value of TCP interception to stop deleting the connection. The above is the configuration step of the Cisco router's illegal TCP connection interception. Netizens with the same distress can try to solve the problem. This article is from