TCP interception of vro

During the three-way handshake of TCP connection establishment, the first packet sent by the client to the server is set with a SYN bit. When the server receives an initial packet from the request service, the server responds to the packet, send back a packet with SYN and ACK bits, and wait for the ACK response from the client. If the client does not reply to ACK, the server will end the connection because of timeout. When the server is waiting for the connection to time out, the connection is in the Half-open state. The Half-open connection consumes resources of the server. A syn attack is triggered when the server resources are exhausted while waiting for the three-way handshake, especially when tens of thousands of SYN packets are sent to a server, the server will crash quickly.
 
If TCP intercept is configured on the vro, TCP intercept blocks and verifies TCP connection requests before TCP connection requests arrive at the server. That is to say, the vro replaces the server for connection.
 
TCP intercept can work in two modes: interception and monitoring. In intercept mode, the Router intercepts all TCP synchronization requests, establishes a connection with the client on behalf of the server, and establishes a connection with the server on behalf of the client. If both connections are successfully implemented, the router will transparently merge the two connections. Vrouters have stricter timeout restrictions to prevent their resources from being exhausted by SYN attacks. The interception mode increases the memory and CPU overhead of the vro, and increases the latency of some initial sessions. In monitoring mode, the vro allows SYN requests to directly reach the server. The router passively observes the number of half-open connections. If it exceeds the configured time, the router will also close the connection. ACL is used to define the Source and Destination addresses for TCP interception.