CCNA Security Tutorial:
"SYN Flooding Attacks" and TCP Intercept
Chris Bryant, CCIE #12933 Here's an illustrated introduction to SYN flooding attacks and TCP Intercept - valuable reading for both CCNA Security and CCNP candidates!
SYN Flooding Attacks And TCP Intercept
Remember the TCP connection process you learned about during your CCNA studies? Part of that process can actually be used as a weapon against our network via a SYN Flooding attack.
In this situation, the "SYN" our network is being attacked with is a series of TCP packets with the SYN flag set. The source IP addresses in the packets do not exist.
This simple attack has two consequences for the server:
The TCP connection literally cannot finish as there is no legitimate sender; therefore, all of those half-completed sessions just start piling up, which eventually exhausts the server's resources.
In turn, this prevents legitimate users from opening sessions and accessing network resources. That's why we call this type of attack a Denial of Service (DoS) attack.
A common network security tool used to prevent these attacks is TCP Intercept - and it's those incoming SYN requests that our router will either intercept or watch.
TCP Intercept is generally run in intercept mode, allowing the router to intercept those TCP SYN requests and answer them on behalf of the server. When a TCP SYN is received by the router, the router answers it with a SYN-ACK.
If the SYN source is legitimate, a TCP ACK should be received by the router. If and when that happens, the router considers that three-way handshake to be complete and the SYN source to be legitimate.
In turn, the router opens a TCP connection to the server, and when that connection is complete, the router merges the two open connections into one. This prevents any non-legitimate SYN packets from ever reaching the server.
TCP Intercept can be configured to intercept all incoming SYN packets, or an ACL can be written to identify the source and destination for packets that should be intercepted. (Yet another use for ACLs!)
TCP Intercept can also be run in watch mode, a more passive mode than intercept mode. In watch mode, the router does not intercept the SYN packets, but passes them through to the TCP server. 
The router isn't totally passive, though. The router monitors this incomplete TCP connection, and will close it if it's not completed after a certain period of time - by default, 30 seconds.
We'll continue this tutorial right after this brief message!
I'm Paying It Forward Bigger Than Before.
My Famous CCNA Study Package Is Now $25.
 
Now that we have the basics of TCP Intercept down, let's look at a few of the available TCP Intercept options. Use the ip tcp intercept-mode command to configure the desired mode.
R1(config)#ip tcp intercept mode ?
intercept Intercept connections
watch Watch connections
R1(config)#ip tcp intercept mode intercept
That watch-time default of 30 seconds for a connection to reach "Established" state can be changed with the ip tcp intercept watch-timeout command.
R1(config)#ip tcp intercept watch-timeout ?
<1-2147483> Timeout in seconds
To configure an ACL to define the source and destination of packets that should be subject to TCP Intercept, write the ACL and then apply it with the ip tcp intercept list command. It's likely you'll specify a source of "any", as I did in the following example.
R1(config)#access-list 110 permit tcp any 10.0.0.0 0.255.255.255
R1(config)#ip tcp intercept list 110 There are other commands available to help you fine-tune TCP Intercept, and there are also real-world issues with TCP Intercept that you should be aware of before using this feature on your network.
Make sure to visit Cisco's website and do some extensive search engine work on "tcp intercept" before putting it into action on your website.
Thanks for taking the time to read this tutorial, and be sure to visit our CCNA / CCNP and CCNA Security Tutorials pages!
|
