Cisco 7604 Configuration Manual page 523
Ios software configuration guide
Hide thumbs
Also See for 7604:
- Configuration manual (742 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 36
Configuring Denial of Service Protection
The default mode of operation is intercept mode. In intercept mode, the software actively intercepts each
incoming connection request (SYN) and responds on behalf of the server with the SYN-ACK, and then
waits for the ACK from the client. After the preparation is complete, the original SYN is sent to the
server, and the software performs the three-way handshake with the server. The two halves are connected
together.
In Watch mode, the connection requests pass through the router to the server, but are watched until they
become established. If they fail to become established within 30 seconds (this value is configurable), the
software sends a reset to the server to clear up its state. Configuring routers for watch mode has less CPU
impact than intercept mode. In watch mode, the CPU is not performing checks and connects on both
halves of the connection. The CPU is passively monitoring the connection and acting on failed
connections after the fact.
TCP intercept is configured globally by first creating the extended access list for the traffic to be
intercepted, and then creating the TCP intercept list. The type of traffic to be intercepted must be one of
the following:
All requests
•
Only the requests that come from specific networks
•
Only the requests that are destined for specific servers
•
This example defines the source in the access list as any; it does not attempt to filter the source address
because it is difficult to know exactly who to intercept packets from. The destination, is specified to
protect the destination servers from the TCP SYN-flood attack. If an access list match is not found,
traffic is permitted to pass without further action.
Router(config)# access-list 101 permit tcp any 10.1.1.1 0.0.0.255
Router(config)# ip tcp intercept list 101
Table 36-1
Table 36-1 TCP Intercept Configuration
Command
Router(config)# access-list
access-list-number {deny | permit} tcp any
destination destination-wildcard
Router(config)# ip tcp intercept list
access-list-number
Router(config)# ip tcp intercept mode
{intercept | watch}
Router(config)# ip tcp intercept drop-mode
{oldest | random}
Router(config)# ip tcp intercept
watch-timeout seconds
Router(config)# ip tcp intercept
finrst-timeout seconds
Router(config)# ip tcp intercept
connection-timeout seconds
OL-4266-08
lists the command used to configure the TCP intercept.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Understanding How DoS Protection Works
Purpose
Defines an IP extended access list.
Enables TCP intercept.
Sets the TCP intercept mode.
Sets the drop mode.
Changes the time allowed to reach established
state; valid values are from 1 to 2147483 seconds.
Changes the time between receipt of a reset or
FIN-exchange and dropping the connection; valid
values are from 1 to 2147483 seconds.
Changes the time the software will manage a
connection after no activity; valid values are from
1 to 2147483 seconds.
36-7
- Quick Links:
- Supported Hardware and Software
Hide quick links:
Advertisement
Chapters
Table of Contents
