Generally,
the access list should have the source as any and define specific destination networks or servers. This will
provide protection for destination host(s) and not the source. If no access list match is found, the router allows
the request to pass with no further action.
Example 7-12 defines extended IP access list 101, instructing the TCP Intercept engine to intercept packets for
all TCP servers on the 10.1.1.0/24 subnet. The example also tunes the aggressive threshold trigger values to
400 and 500 for low and high incomplete connections, respectively.
Example 7-12. Configuring TCP Intercept on Router
Router(config)# access-list 101 permit tcp any 10.1.1.0 0.0.0.255
Router(config)# ip tcp intercept list 101
Router(config)# ip tcp intercept max-incomplete low 400
Router(config)# ip tcp intercept max-incomplete high 500
The ip tcp intercept mode {intercept | watch} command in global configuration mode can be used to set
the TCP intercept mode.
The show tcp intercept connections command displays incomplete connections and established connections,
and show tcp intercept statistics displays TCP intercept statistics.
TCP Intercept on Firewall
The TCP Intercept feature is also available on the PIX 500, ASA 5500, and FWSM firewall software to help
protect servers behind the firewall from SYN-flood attacks.
Pages:
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388