TCP Intercept
This feature was developed primarily in response to a particular type of Denial of Service attack called a SYN flood. In this exploit, the attacker sends a large number of TCP SYN packets to a server, perhaps from a variety of external sites.
The standard call setup for TCP uses a three-phase handshake. The client device first sends a SYN packet, to which the server replies with a SYN-ACK packet. Then the client acknowledges this with an ACK, and the higher layer protocols can start. If the client just sends the SYN packet and then stops talking, the server will keep waiting for the conversation to begin, using up valuable resources.
This is called a half-open TCP session. If a server has too many open or half-open sessions in its memory, it will no longer be able to accept new connections. So sending a large number of TCP SYN packets is a very easy way to effectively bring down a server.
To help to mitigate this problem, Cisco introduced the TCP Intercept feature in IOS Version 11.2F. When it is enabled, the router sits in the middle of the TCP call setup and responds to the SYN packets from the client. If the call setup is timely and legitimate, the router connects to the server, ties the two connections together and steps out of the picture. However, if there is no traffic after the initial SYN packet, the router employs aggressive timeouts and drops the session.
This feature allows the router to monitor how many TCP sessions are coming through globally, as well as connections to individual servers, and it can throttle back its responses appropriately when the network gets busy, or when it decides that it is under attack.