TCP Intercept
Erick N. Borgard CCNP
In this blog entry, we are going to talk about a feature on the Cisco router called TCP intercept. TCP intercept was designed to help in the prevention of denial of service attacks. Before we get into the example, I think it's very important that some fundamental TCP knowledge be reviewed and some terminology covered.
First let's talk about how two network devices establish a TCP connection. Remember that TCP is a reliable protocol so a connection has to be made between two devices in order for them to transmit data. In order for them to be able to form this connection, a TCP 3way handshake must take place. The TCP 3 way handshake starts with a client sending a SYN(Synchronize) packet with it's own IP address in the source IP address field. The server will then return a SYN/ACK packet back to the client acknowledging the SYN packet. Finally, the client will send the server a ACK packet to complete the 3way handshake process. From there, the client and server can exchange information. This is a bit over simplified, but for the purposes of this blog, that is fine.
Now a DoS attack is when an attacker sends a plethora of packets with bogus source IP addresses. When this happens, the server will reply with a SYN/ACK, but the connection will never complete because the server will never receive the ACK packet back from the source. This leaves a lot of 1/2 open connections effectively eating up a ton of the server's resources that it could otherwise be allocating to other things. Ultimately, the server will run out of resources and will cease to be able to provide legitimate services to clients who need them.
Enter TCP intercept. Cisco provides a feature that allows the engineer to configure a router to act as a proxy for the server. Cisco's TCP intercept can run in two different modes.
Intercept Mode - Intercepts all legitimate TCP connections as defined in the ACL. In this mode, the router will establish a TCP with the client on behalf of the server. In essence, this is what is I would call a TCP proxy. The router will respond to TCP SYN packets and will patch the connection between the client and server.
Watch Mode - In this mode the router will passively watch the TCP connections as they pass between the client and the server. If the connection does not complete within the configured threshold, the router terminates the connection.
When under a DoS, the router will become more aggressive in it's behavior to protect the network. By default, the router will allow 1100 connections or 1100 connections in a 1 minute period. From there it will begin to close the oldest connection attempts received. In addition, the retransmit interval is reduced by one half. The router will, by default, drop the oldest connections, but this is easily changed to allow the router to drop random connections instead. The command to allow the router to drop random connections is ip tcp intercept drop-mode random.
The two things that the router will use in determining if there is an attack is happening are the following.
- Total incomplete connections
- The number of connection attempts in a one minute sampling period
These value are configurable which gives the engineer more granularity when implementing the security policy for the enterprise. It is also worth mentioning that the the 2 factors above work together to determine when to become more aggressive and when to become less aggressive by the thresholds defined by the engineer.
Now that we have reviewed the basics of how a TCP 3way handshake functions and what a DoS attack is and how a SYN flood operates, we can look at an example.
In this example there will be a web server that will be simulated at R2. It will be simulated with a loopback interface with IP address 155.2.2.2. The requirements are as follows.
- Enable TCP intercept on R1 to protect the web server located behind R2.
- The mode should be intercept
- The drop mode should be set to random
- Set the timeout for connections to be 5 minutes
Configuration:
ip access-list extended TCP-Intercept
permit tcp any host 155.2.2.2
!
!
ip tcp intercept list TCP-Intercept
ip tcp intercept connection-timeout 300
ip tcp intercept drop-mode random
!
!
end
In order to test this, a telnet connection to R2's loopback from R3 can be established. Remember that TCP intercept is going to inspect data plane traffic, so the traffic needs to pass through the router.
With this feature, there are only two(2) show commands for verification. They are:
- show tcp intercept connections
- show tcp intercept statistics
In this example I am going to enable debug ip tcp intercept on R1 and test with the telnet connection from R3 to R2.
INTERCEPT: new connection (10.0.13.3:21903 SYN -> 155.2.2.2:23)
INTERCEPT(*): (10.0.13.3:21903 <- ACK+SYN 155.2.2.2:23)
INTERCEPT: 1st half of connection is established (10.0.13.3:21903 ACK -> 155.2.2.2:23)
INTERCEPT(*): (10.0.13.3:21903 SYN -> 155.2.2.2:23)
INTERCEPT: 2nd half of connection established (10.0.13.3:21903 <- ACK+SYN 155.2.2.2:23)
INTERCEPT(*): (10.0.13.3:21903 ACK -> 155.2.2.2:23)
INTERCEPT(*): (10.0.13.3:21903 <- WINDOW 155.2.2.2:23)
In the above debug output, we can see that a new connection attempt was established by R3. R1 intercepted the packet and replied with a SYN/ACK to R3 to IP address 10.0.13.3. It then says the 1st half of the connection is established. Then the router establishes the TCP connection with R2. After the 2nd half of the connection is established, the router will finally patches the two parts together and allows the TCP connection between R3 to R2. Let's take a look at the show commands for verification.
R1#show tcp intercept statistics
Intercepting new connections using access-list TCP-Intercept
0 incomplete, 1 established connections (total 1)
1 connection requests per minute
R1#show tcp intercept connections
Incomplete:
Client Server State Create Timeout Mode
Established:
Client Server State Create Timeout Mode
10.0.13.3:21903 155.2.2.2:23 ESTAB 00:02:54 00:02:06 I
The above output shows that a connection to server 155.2.2.2 is established. It also shows that it is intercepting TCP connections using access list TCP-Intercept that we created. There are no incomplete connections
In summary, this blog examined the basics of the TCP 3way handshake, the definition and examination of a DoS attack and how the Cisco router can be configured to intercept TCP connections and act as a proxy for the servers needing to be protected from potential DoS attacks.
In summary, this blog examined the basics of the TCP 3way handshake, the definition and examination of a DoS attack and how the Cisco router can be configured to intercept TCP connections and act as a proxy for the servers needing to be protected from potential DoS attacks.
No comments:
Post a Comment