May 24, 2018

CCIE Security v5 :: TCP Interception

(Last Updated On: 24th October 2017)

This article accompanies the demonstration video I have created below.

TCP interception is a CCIE Security version 5 blueprint topic.

What is TCP interception?

TCP interception is a method used to protect against TCP SYN-flooding attacks. This is achieved by intercepting TCP connection requests (SYN packets) and verifying the connection before passing the original TCP SYN packet onto the destination.

How does it work?

The device configured for TCP interception establishes a connection with the client on behalf of the server and if the connection is successful i.e the TCP 3-way handshake is successful, the software will establish a connection with the server by forming two transparent connections. The original SYN packet is passed onto the server and the 3-way handshake takes place and once this has completed the session is established and the two half-connections are joined. (See video for demonstration)

TCP interception can operate in two modes, Intercept and Watch mode.

Intercept mode is on by default! In Intercept mode the device configured will intercept TCP SYN requests on behalf of the server. (Operation is as mentioned above)

In Watch mode, the TCP SYN connections are allowed to pass the configured device but these connections are watched to see if they become established. If connections are not established within the default allotted time of 30 seconds, the device sends a reset request to the server to clear up the state.

How is TCP Interception triggered?

The two factors that determine when TCP interception kicks into play are;

  • The number of incomplete connections
  • The number of connection requests

If the thresholds are exceeded TCP Interception assumes the device is under attack and goes into aggressive mode. Once in aggressive mode, every new packet will cause the oldest packet by default to be deleted. Configured timeouts are reduced by half too.

Configuration Example

Router# configure terminal
Router(config)# access-list 101 permit tcp any any
Router(config)# ip tcp intercept list 101
Router(config)# ip tcp intercept mode intercept – By default intercept mode is configured
Router(config)# ip tcp intercept drop-mode oldest – By default the software drops the oldest partial connection

Router(config)# ip tcp intercept watch-timeout 100 – Changes the time allowed to reach established state (Waits for 30 seconds by default)
Router(config)# ip tcp intercept finrst-timeout 120 – Changes the time between receipt of a FIN-exchange or Reset and dropping the connection (Waits for 5 seconds by default)
Router(config)# ip tcp intercept connection-timeout 120 – Changes the time the software will manage a connection after no activity (Still manages the connection for 24 hours by default)

Modifying Thresholds

Router(config)# ip tcp intercept max-incomplete low 900 high 1100 – (Default values are 900-1100)
Router(config)# ip tcp intercept one-minute low 900 high 1100(Default values are 900-1100)

Video Demonstration

Previous «
Next »

Security Solutions Consulting Engineer @ Cisco - CCNA R&S/CCNA Security, CCDA & CCNP R&S - Currently working on CCIE Security. Sharing my knowledge and passion for technology. All views are mine and NOT of my company.

Leave a Reply

Subscribe to SYNACK via Email

%d bloggers like this: