This blog was originally started to better help me understand the technologies in the CCIE R&S blueprint; after completing the R&S track I have decided to transition the blog into a technology blog.

CCIE #29033

This blog will continue to include questions, troubleshooting scenarios, and references to existing and new technologies but will grow to include a variety of different platforms and technologies. Currently I have created over 185 questions/answers in regards to the CCIE R&S track!! Note: answers are in the comment field or within "Read More" section.

You can also follow me on twitter @FE80CC1E


Friday, May 14, 2010

Question 86

What is TCP intercept?
Provide an example.

TCP Intercept is used to protect against TCP-SYN flooding attacks used in a DOS (denial of service) attacks. The TCP intercept command/s allows the router to intercept the TCP connection and validate that the request is legitimate.
TCP intercept has 2 modes:

-intercept The router intercepts and responds to the client requests on behave of the server. The client sends a TCP SYN to the server and the router intercepts the request and sends a TCP SYN ACK message to the client on behave of the server. If the connection is legitimate then the client sends an TCP ACK to the router and the router forwards the original TCP SYN from the client to the server. The router performs the 3 way handshake with the server and once complete the 2 connections are joined.

-warn The router watches the connections as they pass the router and if a session does not become established in 30 seconds (default) then the router sends a "reset" to the server to clear up the state.

Example: An extended ACL is defined causing the router to intercept packets destined to all TCP servers on the 10.10.10.0/24 network.

config#ip tcp intercept list 101

config#access-list 101 permit tcp any 10.10.10.0 0.0.0.255
Posted by Packets Analyzed at 9:42 PM
Labels: ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)