As discussed earlier in this chapter, a SYN-flooding attack occurs when
an attacker attempts to flood a TCP server with requests for connection. Because these messages have
unreachable or spoofed return addresses, the connections are not able to fully establish. The resulting volume of
incomplete half-open connections eventually overwhelms the TCP server and can cause it to deny regular
service to valid user requests, thereby preventing legitimate users from connecting to a website, accessing e-
mail, using FTP service, or any other TCP-based application.
How TCP Intercept Works
Figure 7-8 illustrates how the TCP Intercept feature works by intercepting and validating all incoming TCP
connection requests flowing between a TCP client and TCP server. In the intercept mode, the TCP Intercept
engine intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list.
The software establishes a connection with the client on behalf of the destination server (proxying the SYN) and,
if successful, establishes the connection with the server on behalf of the client, thereby transparently knitting
together the two half-connections. This mechanism protects against any connection attempts from unreachable
or spoofed hosts.
Pages:
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386