The TCP Intercept Affection in PIX
Version 5.3 and Later
The accomplishing of SYN Floodguard in versions afore 5.3 was not
quite good. Back the best cardinal of beginning access for
a host was reached, the PIX firewall artlessly alone any added SYN
packets directed to the afflicted host. Thus, while attention the host
against overloading, the PIX firewall prevented any cartage from passing
to or from the host in the case of a SYN flood. Similarly, back the maximum
number of beginning access was not specified, the PIX did
not bind the cardinal of half-open connections, which could advance to a
successful SYN flood advance adjoin the host.
Version 5.3 accouterments a new affection alleged TCP Intercept. Since
version 5.3, the PIX firewall behaves abnormally back the cardinal of
embryonic access for a host is reached. If this happens, until the
number of beginning access avalanche beneath threshold, anniversary new SYN
packet to the afflicted host is intercepted instead of actuality discarded.
Then PIX itself replies to the sender instead of the destination server with
SYN/ACK. If the applicant assuredly replies with a accepted ACK, the PIX firewall
sends the aboriginal SYN to its destination (the server), performs a
correct three-way handshake amid the PIX and the server, and the
connection is resumed amid a applicant and a server.