Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
13965
Views
10
Helpful
0
Comments

TCP intercept Feature on the ASA device

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎01-06-2014 05:24 PM - edited ‎03-08-2019 06:53 PM

     

     

    Introduction

    The TCP intercept feature is a mechanism to protect the end hosts from TCP SYN-flooding attacks, a type of DoS attack.

    A SYN-flooding attack occurs when a hacker floods a  server with a barrage of requests for connection. Because these  messages have unreachable return addresses, the connections cannot be  established. The resulting volume of unresolved open connections  eventually overwhelms the server and can cause it to deny service to  valid requests, thereby preventing legitimate users from connecting to a  web site, accessing e-mail, using FTP service, and so on.

    The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests.

    Intercept mode

    The TCP  intercept software intercepts TCP synchronization (SYN) packets from  clients to servers that match an extended access list. The software  establishes a connection with the client on behalf of the destination  server, and if successful, establishes the connection with the server on  behalf of the client and knits the two half-connections together  transparently. Thus, connection attempts from unreachable hosts will  never reach the server. The software continues to intercept and forward  packets throughout the duration of the connection. The number of SYNs  per second and the number of concurrent connections proxied depends on  the platform, memory, processor, and other factors

    In the case of illegitimate requests, the  software's aggressive timeouts on half-open connections and its  thresholds on TCP connection requests protect destination servers while  still allowing valid requests.

    When establishing your security policy using TCP  intercept, you can choose to intercept all requests or only those coming  from specific networks or destined for specific servers. You can also  configure the connection rate and threshold of outstanding connections.

    You can choose to operate TCP intercept in watch mode,  as opposed to intercept mode. In watch mode, the software passively  watches the connection requests flowing through the router. If a  connection fails to get established in a configurable interval, the  software intervenes and terminates the connection attempt.

    Configuration

    Using NAT

    [no] static (real_ifc, mapped_ifc) <mapped_ip> <real_ip> netmask <mask> tcp <max_conns> <emb_lim>

ciscoasa(config)# static (inside,outside) 1.2.3.4 5.6.7.8 netmask 255.255.255.255 tcp 0 10

<max_conns>: The maximum number of simultaneous TCP connections that each <real_ip> hosts will be allowed.

<emb_lim>: The maximum number of embryonic connections per host.

    In this example, the NAT will allow unlimited connections but TCP intercept will be triggered if there were 10 embryonic connections.

    Using Modular Policy Framework

    policy-map <name>
class <class_map_name>
set connection {[conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n] [per-client-max n] 
[random-sequence-number {enable | disable}]}
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# set connection embryonic-conn-max 1

<conn-max>: The maximum number of simultaneous TCP and/or UDP connections that are allowed. The default is 0, which allows unlimited connections.

<embryonic-conn-max>: The maximum number of simultaneous embryonic connections allowed. The default is 0, which allows unlimited connections.

<per-client-embryonic-max>: The maximum number of simultaneous embryonic connections allowed per client. The default is 0, which allows unlimited connections.

<per-client-max>: The maximum number of simultaneous connections allowed per client. The default is 0, which allows unlimited connections.

<random-sequence-number>: Enables or disables TCP sequence number randomization.

    Using Threat-Detection

    In order to enable TCP intercept statistics, use the threat-detection statistics tcp-intercept command.

    ciscoasa(config)# threat-detection statistics tcp-intercept

    In order to configure custom rates for TCP intercept statistics, use the rate-interval, average-rate, and burst-rate keywords.

    ciscoasa(config)# threat-detection statistics tcp-intercept rate-interval 45 burst-rate 400 average-rate 100

    More Information

    Labels:
    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

    Customers Also Viewed These Support Documents