In today world Ddos attacks are often and one of the simplest is TCP SYN flood.
Prevent this attack is easy in Cisco environment. Cisco devices have a feature called “tcp intercept”.
To prevent TCP Syn attacks on server we can deploy TCP intercept feature on router which is located between Internet and server.
What it does ? Router monitors all TCP connections to IP address of the server, if some of connections haven’t reach 3 way shake, router will send to server a TCP message to reset a connection.
In our example we have Web and Application server, which are reachable from internet. Web server is on IP 109.55.66.45 and Application server is on 109.55.66.50.
Configuration on router is simple in few steps :
1. Configure access list where we define IP address of both servers.
Router(config)#access-list 109 permit ip any host 109.55.66.45
Router(config)# access-list 109 permit ip any host 109.55.66.50
2. Then we say to TCP intercept process which access list to match/monitor
Router(config)# ip tcp intercept list 109
There are two operational modes of TCP Intercept — default intercept and watch mode.
a) Intercept mode
During intercept mode router verifies each TCP connection before sending it to Server and responds behalf of server on all connections. It is resource consuming, but is 100% secure and no bad packets will be delivered to Server.
Router(config)# ip tcp intercept mode intercept
– timeout for connection is 30 seconds without ACK here.
b) Watch mode is simpler — it forwards all packets and TCP connections to server and waits if there was a 3 way handshake during certain period of time (eg. 5 seconds).
Router(config)# ip tcp intercept mode watch
Router(config)# ip tcp intercept watch-timeout 5
— By default, the software waits for 30 seconds for a watched connection set maximum timeout to finish 3 way TCP handshake.
Then it waits for 5 seconds to drop invalid connection and also IOS still manages a connection for 24 hours after no activity. To change these two values use commands :
Router(config)# ip tcp intercept finrst-timeout seconds
Router(config)# ip tcp intercept connection-timeout seconds
Show commands:
Router(config)# show tcp intercept connections
Router(config)# show tcp intercept statistics
By default router is in normal mode but under attack it automatically changes to aggressive mode.
During aggressive mode these settings are automatically changed:
– every new connection is deleting oldest partial connection. It can be changed to random connection by command «ip tcp intercept drop-mode»
– total time for establishing connection is cut on half of default (15 sec)
– in watch mode watch timeout is reduced by half
Route blackholing
In case when we receive really large DDOS attack, route blackholing can be used to prevent receiving of traffic to IP address which is under attack. Example: IP under attack is 109.205.245.19, our AS number is AS12445. Our peering ISP is a HE with AS6939, they told us that all routes received from our network with community 666 will be blackholed and bad traffic will not reach our BGP router at all.
Router(config)# ip route 109.205.245.19 255.255.255.255 Null0
Router(config)#route-map blackhole permit 10
Router(config-map)#set community 6939:666
Router(config)# router bgp AS12445
Router(config-router)# network X.X.X.X mask 255.255.255.255 route-map blackhole