You can choose to operate TCP intercept in watch mode, as opposed to intercept mode. In watch mode, the software passively watches the connection requests flowing through the router. If a connection fails to get established in a configurable interval, the software intervenes and terminates the connection attempt by sending a RESET to the server.
After enabling tcp intercept, use the "ip tcp intercept mode watch" comamnd to say you want watch mode, and then use "ip tcp intercept watch-timeout seconds" to set how long the router should watch a half-open connection before terminating it. With this method, you would protect the server from keeping connections open for a long time (you mentioned 2.5 minutes) due to a hacker sending a SYN request but never completing the three-way handshake. In a lot of cases, the hacker is using a spoofed address and never sees the SYN ACK, so it doesn't send the final ACK. The hacker doesn't care. He's already done his damage by bugging the server and causing the server to keep a connection half open. You would also close a legitmate half-open connection where the client took that long to send the final ACK, but that's probably OK. It's unlikely that a legtimate and properly functioning client would take that long, so you wouldn't be closing much that you shouldn't close. If that's not what you had in mind, please rewrite your question. It's a bit hard to understand as written. Thanks. _______________________________ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Robert Massiache wrote: > > Hi, > I know to avoid syn attacks we can beef up the security by > setting the time > using 'tcp intercept' command. It has got 2 modes 'intercept' > and watch > mode. > > My requirement is that there is a hacker who use SYN to attack > the server > 150.100.1.254. I need to configure R1 to protect the server. > Tunning on R1, > I need closing the tcp connections even the legitimate ones > which are open > after 2.5 min. > > How can I employ the above command here? Could someone help me > out... > > thanks > > _________________________________________________________________ > Unlimited Internet access for only $21.95/month. Try MSN! > http://resourcecenter.msn.com/access/plans/2monthsfree.asp > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56115&t=56103 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
