TCP Intercept causing high CPU utilization

leowchongwei · ‎03-16-2004

Hi,

Had a synflood attack and it cause my router to high high CPU utilization... However if i remove the ip tcp intercept, then the CPU utilization is fine... Any solutions for this?

Thanks,

Steven

mostiguy · ‎03-17-2004

Your router has more work to do when it is being attacked. If it deflected the synflood attack, what is the real problem? You could replace it with a more powerful router, but how often do you expect to get syn flooded?

leowchongwei · ‎03-17-2004

how can i stop or block the syn flood? i hope to block a syn flood to my customer server but if i use the "ip tcp intercept", it only cause my router to reach 100% CPU utilization and the syn flood to my customer's server continues...

b.carbery · ‎03-21-2004

You could try one of the other firewall features e.g. IDS or CBAC. IDS is really the ideal one for this situation but much more complicated to implement than TCP Intercept.

leowchongwei · ‎03-21-2004

but IDS is meant for monitoring only rite? how can i stop synflood?

revangelista · ‎03-22-2004

yes, IDS is usually intended to 'sniff' malicious traffic and 'normally' does not have the capacity to 'stop' the activity. however, there are Cisco devices that are capable of dynamically applying a 'shun' of the offending IP addresses when triggered by an IDS event.

you really should either be upgrading your router to a more robust and capable hardware, however, the CPU issue will not necessarily go away. it is a router and not a firewall. a dedicated firewall will handle these attacks more reliably and with greater precision.

there is a feature called 'embryonic limit' in a PIX firewall that works very well for these types of attack. other security vendors offer similar 'SYN Blocking' features so look around.