[nsp] TCP Intercept
Michael Sinatra
michael at rancid.berkeley.edu
Tue Aug 5 17:18:42 EDT 2003
On Tue, 5 Aug 2003, Rob Thomas wrote:
> I'll second all of Sam's cautionary points, re: TCP Intercept.
> It is very likely you don't want to enable it at all.
It probably varies greatly by platform, but I can relate an experience
from a few years ago where I enabled TCP intercept in desperation on an
old platform (7500/RSP2) to help save a host from a SYN flood. The host
was running an older version of a major brand-name operating system that
was either improperly tuned or just plain didn't handle SYN floods well.
I had strong reservations about doing this, but I did it anyway. It
certainly did protect the host from the SYN flood...and all other network
traffic. Basically, the router kicked over under the load. Not a big
surprise to me (fortunately, I had console access to the router and
TCP intercept was easily disabled).
I would definitely shy away from using it under most circumstances.
michael
More information about the cisco-nsp
mailing list