[nsp] TCP Intercept

Steve Francis steve at expertcity.com
Tue Aug 5 14:57:01 EDT 2003

Sam Stickland wrote:

>I'm got some questions about the TCP intercept feature.
>Secondly, I'm not sure what good it would do to place this on the core
>routers of a large network.
Well, it would make it much easier for people to take down the network.  
So it depends who you are trying to do good for. :-)

Generally, hosts (or well tuned modern hosts, at any rate) have much 
better Syn flood resilience than you have on your router.
If you enable TCP intercept, you'll just be providing a way for 
attackers to take out your core router fairly easily (by overwhelming 
its CPU), and causing much greater damage than allowing them to attack 
the the host you were attempting to protect.

To protect your routers, either use receive-acl's if your hardware 
supports them, or filter, on every inteerface, anything to the routers 
own addresses and limit it to your own management networks (assuming 
your routers can do that in hardware.)

If neither of the above is true for your hardware, buy new hardware. :-)

> What's the typical connections per second rate
>that would start to overwhelm a typical server? If the incoming connections
>per second rate for the entire network is comparable then the necessary 'ip
>tcp intercept max-incomplete high' setting isn't going to do much to protect
>the servers, is it?
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list