Security against syn flood with cisco routers

Security against syn flood with cisco routers

by Cyrus Lok on Saturday, March 13, 2010 at 8:44pm

TCP syn floods are half open connections initiated by the attacker against the victim server in order to achieve the objective of denial of service.

cisco router has a feature against this kind of attack i.e TCP intercept.

cisco will test the tcp connection first before letting the request packet pass through the router and to the destination host.

During TCP intercept mode:
1. an unknown client sends a tcp syn packet.
2. cisco router sends back a syn+ack packet on behalf of the destination server back to the source client.
3. cisco router will wait and see if the source client will return an ack packet or not.
4. if no the tcp connection will be closed.
5. if yes cisco router acknowledges that the tcp connection is legitimate; router will open a tcp connection to the destination host.

R0(config)#ip tcp intercept ?
connection-timeout Specify timeout for connection info
drop-mode Specify incomplete connection drop mode
finrst-timeout Specify timeout for FIN/RST
list Specify access-list to use
max-incomplete Specify maximum number of incomplete connections before
mode Specify intercepting mode
one-minute Specify one-minute-sample watermarks for clamping
watch-timeout Specify timeout for incomplete connections in watch mode

R0(config)#ip tcp intercept mode intercept
command accepted, interfaces with mls configured might cause inconsistent behavior

cisco documentation:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s