[nsp] TCP Intercept

Michael Sinatra michael at rancid.berkeley.edu
Tue Aug 5 17:18:42 EDT 2003

On Tue, 5 Aug 2003, Rob Thomas wrote:

> I'll second all of Sam's cautionary points, re: TCP Intercept.
> It is very likely you don't want to enable it at all.

It probably varies greatly by platform, but I can relate an experience
from a few years ago where I enabled TCP intercept in desperation on an
old platform (7500/RSP2) to help save a host from a SYN flood.  The host
was running an older version of a major brand-name operating system that
was either improperly tuned or just plain didn't handle SYN floods well.
I had strong reservations about doing this, but I did it anyway.  It
certainly did protect the host from the SYN flood...and all other network
traffic.  Basically, the router kicked over under the load.  Not a big
surprise to me (fortunately, I had console access to the router and
TCP intercept was easily disabled).

I would definitely shy away from using it under most circumstances.


More information about the cisco-nsp mailing list