Cisco Catalyst 6500 Series Configuration Manual page 33

Chapter 1 Introduction to the Firewall Services Module
Table 1-3 Protection Features (continued)
Protection Feature Description
TCP Intercept TCP Intercept protects inside systems from a DoS attack perpetrated by flooding an interface with TCP
SYN
static commands.
When the embryonic limit has been surpassed, the TCP intercept feature intercepts TCP SYN packets
from clients to servers on a higher security level.
The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks,
which are a type of denial-of-service attack. SYN cookies are used during the validation process and
help to minimize the amount of valid traffic being dropped. For detailed information about configuring
TCP intercept, see the
Unicast Reverse Unicast RPF helps mitigate problems caused by the introduction of malformed or forged (spoofed) IP
Path Forwarding source addresses into a network by discarding IP packets that lack a verifiable IP source address. Enable
this feature using the ip verify reverse-path command.
1. Domain Name System
2. denial of service
3. Simple Mail Transfer Protocol
4. synchronization
OL-6392-01
4
packets. Enable this feature by setting the maximum embryonic connections option of the nat and
"Monitoring SYN Attacks using TCP Intercept" section on page
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Features
5-29.
1-7