Friday, July 4, 2008

TCP Intercept: Watch vs Intercept

TCP Intercept is used to prevent DoS attacks where the attacker tries to use up all the TCP resources by sending SYN packets and then never replying to the SYN-ACK (the source is spoofed which is why the attacker doesn't respond). Here we configure R4 to detect this attack and prevent it by dropping these "half-open" connections. I am not sure how to spoof an address from a Cisco router, so we'll just configure TCP intercept and do some monitoring.

[R5]---[R4]---[R1]

10.0.0.0 is the LAN address range between R1 and R4. We'll create an ACL that matches telnet traffic from R5 to R1. R1 in this case is the server we want to protect from the SYN Attack.

R4(config)#access-list 100 permit tcp any 10.0.0.0 0.0.0.255 eq 23

R4(config)#ip tcp intercept ?
connection-timeout Specify timeout for connection info
drop-mode Specify incomplete connection drop mode
finrst-timeout Specify timeout for FIN/RST
list Specify access-list to use
max-incomplete Specify maximum number of incomplete connections before clamping
mode Specify intercepting mode
one-minute Specify one-minute-sample watermarks for clamping
watch-timeout Specify timeout for incomplete connections in watch mode

R4(config)#ip tcp intercept list 100
R4(config)#ip tcp intercept max-incomplete high 200
R4(config)#ip tcp intercept max-incomplete low 150
R4(config)#ip tcp intercept connection-timeout 60
R4(config)#ip tcp intercept drop-mode random

Debugging and Verification:

R4#debug ip tcp intercept
TCP intercept debugging is on

*Mar 1 06:28:33.866: INTERCEPT: new connection (155.1.45.5:31039 SYN -> 10.0.0.1:23)
*Mar 1 06:28:33.874: INTERCEPT(*): (155.1.45.5:31039 <- ACK+SYN 10.0.0.1:23)
*Mar 1 06:28:33.954: INTERCEPT: 1st half of connection is established (155.1.45.5:31039 ACK -> 10.0.0.1:23)
*Mar 1 06:28:33.958: INTERCEPT(*): (155.1.45.5:31039 SYN -> 10.0.0.1:23)
*Mar 1 06:28:34.034: INTERCEPT: 2nd half of connection established (155.1.45.5:31039 <- ACK+SYN 10.0.0.1:23)
*Mar 1 06:28:34.038: INTERCEPT(*): (155.1.45.5:31039 ACK -> 10.0.0.1:23)
*Mar 1 06:28:34.042: INTERCEPT(*): (155.1.45.5:31039 <- WINDOW 10.0.0.1:23)

I don't like the output above. I expected to see R4's address somewhere in the output since it is "intercepting" the connections. Perhaps I am misunderstanding this...both "halves" look the same to me.

Anyways, here's a show command:

R4#show tcp intercept connections
Incomplete:
Client Server State Create Timeout Mode

Established:
Client Server State Create Timeout Mode
155.1.45.5:31039 10.0.0.1:23 ESTAB 00:00:49 00:59:14 I
R4#

Now let's see what it looks like in watch mode:

R4(config)#ip tcp intercept mode watch

R4#
*Mar 1 06:30:58.082: INTERCEPT: new connection (155.1.45.5:12568 SYN -> 10.0.0.1:23)
*Mar 1 06:30:58.182: INTERCEPT: (155.1.45.5:12568 <- ACK+SYN 10.0.0.1:23)
*Mar 1 06:30:58.310: INTERCEPT: (155.1.45.5:12568 ACK -> 10.0.0.1:23)
R4#show tcp intercept connections
Incomplete:
Client Server State Create Timeout Mode

Established:
Client Server State Create Timeout Mode
R4#

Notice that "show tcp intercept connections" only gives output when the router is in intercept mode.

3 comments:

  1. The Best thing about this technology is -
    The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server. The software continues to intercept and forward packets throughout the duration of the connection.

    http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scdenial.html

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. by using a spoofed IP address and repeatedly sending purposely assembled SYN packets, attackers can cause the server to consume large amounts of resources keeping track of the bogus connections. This is known as a SYN flood attack.
    ccna security training in thailand

    ReplyDelete

Note: Only a member of this blog may post a comment.