TCP Intercept Feature
Before version 5.2, the Cisco PIX Firewall Security Appliance offered no mechanism to
protect systems that could be reached using a static and TCP conduit from TCP SYN attacks.
When the embryonic connection limit was configured in a static command statement, the
earlier PIX versions simply dropped new connection attempts as soon as the embryonic
threshold was reached. A mild TCP SYN attack could potentially create service disruption
to the server in question. For static command statements without an embryonic connection
Configuring Inbound Access Through a Cisco Security Appliance 183
limit, PIX Firewall passes all traffic. If the affected system does not have TCP SYN attack
protection (most operating systems do not offer sufficient protection), the affected system’s
embryonic connection table overloads, and all traffic stops.
With the TCP intercept feature, as soon as the optional embryonic connection limit is
reached, and until the embryonic connection count falls below this threshold, every SYN
bound for the affected server is intercepted. For each SYN, a Security Appliance, such as the
PIX Firewall, responds on behalf of the server with an empty SYN/ACK segment. The
Security Appliance retains pertinent state information, drops the packet, and waits for the
client’s acknowledgment. If the ACK is received, a copy of the client’s SYN segment is sent
to the server, and a TCP three-way handshake is performed between the Security Appliance
and the server. If this three-way handshake completes, the connection resumes as normal. If
the client does not respond during any part of the connection phase, Security Appliance
retransmits the necessary segment.
In addition to the TCP intercept feature, software version 6.3 and later introduced SYN
cookies as a means to stop a SYN flood from filling the SYN queue and causing dropped
connections. SYN cookies use a cryptographic method to create the initial TCP sequence
numbers for a TCP flow. This new method helps the Security Appliance manage the TCP
queue by responding to TCP connections with a SYN+ACK when the SYN queue fills up.
The Security Appliance will wait for an ACK from the remote device, and verifies the ACK
with the assigned 24-bit secret. The Security Appliance will then rebuild the SYN queue
based on this information. This allows the SYN queue to become larger, but never to a size
that will cause dropped backs, and removes the biggest effect of a SYN flood attack, which
is to disable large windows.