CCIE Security v5 :: TCP Interception

This article accompanies the demonstration video I have created below.

TCP interception is a CCIE Security version 5 blueprint topic.

What is TCP interception?

TCP interception is a method used to protect against TCP SYN-flooding attacks. This is achieved by intercepting TCP connection requests (SYN packets) and verifying the connection before passing the original TCP SYN packet onto the destination.

How does it work?

The device configured for TCP interception establishes a connection with the client on behalf of the server and if the connection is successful i.e the TCP 3-way handshake is successful, the software will establish a connection with the server by forming two transparent connections. The original SYN packet is passed onto the server and the 3-way handshake takes place and once this has completed the session is established and the two half-connections are joined. (See video for demonstration)

TCP interception can operate in two modes, Intercept and Watch mode.

Intercept mode is on by default! In Intercept mode the device configured will intercept TCP SYN requests on behalf of the server. (Operation is as mentioned above)

In Watch mode, the TCP SYN connections are allowed to pass the configured device but these connections are watched to see if they become established. If connections are not established within the default allotted time of 30 seconds, the device sends a reset request to the server to clear up the state.

How is TCP Interception triggered?

The two factors that determine when TCP interception kicks into play are;

  • The number of incomplete connections
  • The number of connection requests

If the thresholds are exceeded TCP Interception assumes the device is under attack and goes into aggressive mode. Once in aggressive mode, every new packet will cause the oldest packet by default to be deleted. Configured timeouts are reduced by half too.

Configuration Example

Router# configure terminal
Router(config)# access-list 101 permit tcp any any
Router(config)# ip tcp intercept list 101
Router(config)# ip tcp intercept mode intercept – By default intercept mode is configured
Router(config)# ip tcp intercept drop-mode oldest – By default the software drops the oldest partial connection

Router(config)# ip tcp intercept watch-timeout 100 – Changes the time allowed to reach established state (Waits for 30 seconds by default)
Router(config)# ip tcp intercept finrst-timeout 120 – Changes the time between receipt of a FIN-exchange or Reset and dropping the connection (Waits for 5 seconds by default)
Router(config)# ip tcp intercept connection-timeout 120 – Changes the time the software will manage a connection after no activity (Still manages the connection for 24 hours by default)

Modifying Thresholds

Router(config)# ip tcp intercept max-incomplete low 900 high 1100 – (Default values are 900-1100)
Router(config)# ip tcp intercept one-minute low 900 high 1100(Default values are 900-1100)

Video Demonstration

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.