TCP Intercept

September 6, 2008 at 3:20 pm | Posted in Security | 1 Comment

The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of denial-of-service attack.

A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a web site, accessing e-mail, using FTP service, and so on.

The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server. The software continues to intercept and forward packets throughout the duration of the connection. The number of SYNs per second and the number of concurrent connections proxied depends on the platform, memory, processor, and other factors.

In the case of illegitimate requests, the software’s aggressive timeouts on half-open connections and its thresholds on TCP connection requests protect destination servers while still allowing valid requests.

You can choose to operate TCP intercept in watch mode, as opposed to intercept mode. In watch mode, the software passively watches the connection requests flowing through the router. If a connection fails to get established in a configurable interval, the software intervenes and terminates the connection attempt.


R4#sh run | in tcp
ip tcp intercept list 199
ip tcp intercept connection-timeout 3600
ip tcp intercept max-incomplete low 1200
ip tcp intercept max-incomplete high 1500
ip tcp intercept drop-mode random
access-list 199 permit tcp any eq www

! Turn off CEF and Fast Switching to be able to see Debug IP TCP intercept

interface Ethernet0/0
 no ip route-cache

interface Serial0/0.1 point-to-point
 no ip route-cache

interface Serial0/1
 no ip route-cache


R4#debug ip tcp intercept
TCP intercept debugging is on

*Apr  7 11:17:29.051: INTERCEPT: new connection ( SYN ->
*Apr  7 11:17:29.051: INTERCEPT(*): ( <- ACK+SYN
*Apr  7 11:17:29.067: INTERCEPT: 1st half of connection is established ( ACK ->
*Apr  7 11:17:29.067: INTERCEPT(*): ( SYN ->
*Apr  7 11:17:29.071: INTERCEPT: client packet dropped in SYNSENT ( ->
*Apr  7 11:17:29.075: INTERCEPT: client packet dropped in SYNSENT ( ->
*Apr  7 11:17:30.067: INTERCEPT(*): SYNSENT retransmit 1 ( SYN ->
*Apr  7 11:17:30.067: INTERCEPT: client packet dropped in SYNSENT ( ->

*Apr  7 11:18:00.067: INTERCEPT: SYNSENT retransmitting too long ( <->
*Apr  7 11:18:00.067: INTERCEPT(*): ( <- RST

One side note with debugging ip tcp intercept is that we have to turn the CEF or Fast Switching off, similar to when you want to see output of debug ip packet for those that transit the router. If we do not have “no ip route-cache” interface command, we will not see transit IP packets. Same applied for tcp intercept sessions.

Doc CD Navigation

  • Cisco IOS Security Configuration Guide, Release 12.4
  • Traffic Filtering, Firewalls, and Virus Detection
  • Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
  • TCP Intercept Configuration Task List

1 Comment »

RSS feed for comments on this post. TrackBack URI

  1. Fantastic!!!

    This is a greate demo of this feature. Thanks :)

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at
Entries and comments feeds.

%d bloggers like this: