TCP SYN Flood, the Established Bit, and TCP Intercept
A TCP SYN flood is an attack directed at servers by initiating large numbers of TCP connections,
but not completing the connections. Essentially, the attacker initiates many TCP connections, each
with only the TCP SYN flag set, as usual. The server then sends a reply (with TCP SYN and ACK
flags set)—but then the attacker simply does not reply with the expected third message in the
three-way TCP connection setup flow. The server consumes memory and resources while waiting
on its timeouts to occur before clearing up the partially initialized connections. The server might
also reject additional TCP connections, and load balancers in front of a server farm might
unbalance the load of actual working connections as well.
Stateful firewalls can prevent TCP SYN attacks. Both the Cisco PIX Firewall and the Cisco IOS
Firewall feature set can be used to do this. The methods used are not part of the CCIE Routing and
Switching written exam, but instead are covered in the CCIE Security exam; the impact of TCP
SYN attacks can be reduced or eliminated by using a few other tools in Cisco IOS.
One way to prevent SYN attacks is to simply filter packets whose TCP header shows only the SYN
flag set—in other words, filter all packets that are the first packet in a new TCP connection. In
many cases, a router should not allow TCP connections to be established by a client on one side
to a server on the other, as shown in Figure 18-10. In these cases, filtering the initial TCP segment
prevents the SYN attack.
Figure 18-10 Example Network: TCP Clients in the Internet
Cisco IOS ACLs cannot directly match the TCP SYN flag. However, an ACE can use the
established keyword, which matches TCP segments that have the ACK flag set. The established
keyword essentially matches all TCP segments except the very first TCP segment in a new
R1
Server
S0/0 R7
ASN 1
Network 1.0.0.0
Exists Only Here
1.1.1.1/24
1.1.1.2/24
Client
Internet
TCP Flags: SYN
TCP Flags: ACK
TCP Flags: SYN, ACK
2
1
3
680 Chapter 18: Security
connection. Example 18-12 shows the configuration that would be used on R1 to deny new
connection requests from the Internet into the network on the left.
The ACL works well when clients outside a network are not allowed to make TCP connections
into the network. However, in cases where some inbound TCP connections are allowed, this ACL
cannot be used. Another Cisco IOS feature, called TCP intercept, provides an alternative that
allows TCP connections into the network, but monitors those TCP connections for TCP SYN
attacks.
TCP intercept operates in one of two different modes. In watch mode, it keeps state information
about TCP connections that match a defined ACL. If a TCP connection does not complete the
three-way handshake within a particular time period, TCP intercept sends a TCP reset to the
server, cleaning up the connection. It also counts the number of new connections attempted over
time, and if a large number occurs in 1 second (“large” defaulting to 1100), the router temporarily
filters new TCP requests to prevent a perceived SYN attack.
In intercept mode, the router replies to TCP connection requests instead of forwarding them to the
actual server. Then, if the three-way handshake completes, the router creates a TCP connection
between itself and the server. At that point, the router knits the two connections together. This takes
more processing and effort, but it provides better protection for the servers.
Example 18-13 shows an example using TCP intercept configuration, in watch mode, plus a few
changes to its default settings. The example allows connections from the Internet into AS1 in
Figure 18-10.
Example 18-12 Using an ACL with the established Keyword
! The first ACE matches TCP segments that are not the first segment, and permits
! them. The second ACE matches all TCP segment between the same set of IP
! addresses, but because all non-initial segments have already been matched, the
! second ACE only matches the initial segments.
ip access-list extended prevent-syn
permit tcp any 1.0.0.0 0.255.255.255 established
deny tcp any 1.0.0.0 0.255.255.255
permit (whatever)
!
interface s0/0
ip access-group prevent-syn in
Configuring TCP Intercept
! The following command enables TCP intercept for packets matching ACL
! match-tcp-from-internet. Also, the mode is set to watch, rather than the
! default of intercept. Finally, the watch timeout has been reset from the
! default of 30 seconds; if the TCP connection remains incomplete as of the
! 20-second mark, TCP intercept resets the connection.
ip tcp intercept-list match-tcp-from-internet
ip tcp intercept mode watch
ip tcp intercept watch-timeout 20
! The ACL matches packets sent into 1.0.0.0/8 that are TCP. It is referenced by
! the ip tcp intercept-list command listed above.
ip access-list extended match-tcp-from-internet
permit tcp any 1.0.0.0 0.255.255.255
! Note below that the ACL is not enabled on any interfaces.
interface s0/0
! Note: there is no ACL enabled on the interface!