Cisco Cisco ASR 5700
ACS Rulebase Configuration Mode Commands
▀ firewall tcp-syn-flood-intercept
▄ Command Line Interface Reference, StarOS Release 17
718
Default:
none
watch-timeout intercept_watch_timeout
Specifies the TCP intercept watch timeout, in seconds.
intercept_watch_timeout
must be an integer from 5 through 30.
Default: 30
Usage
This TCP intercept functionality provides protection against TCP SYN Flooding attacks.
The system captures TCP SYN requests and responds with TCP SYN-ACKs. If a connection initiator
completes the handshake with a TCP ACK, the TCP connection request is considered as valid by system and
system forwards the initial TCP SYN to the valid target which triggers the target to send a TCP SYN-ACK.
Now system intercepts with TCP SYN-ACK and sends the TCP ACK to complete the TCP handshake. Any
TCP packet received before the handshake completion will be discarded.
The system captures TCP SYN requests and responds with TCP SYN-ACKs. If a connection initiator
completes the handshake with a TCP ACK, the TCP connection request is considered as valid by system and
system forwards the initial TCP SYN to the valid target which triggers the target to send a TCP SYN-ACK.
Now system intercepts with TCP SYN-ACK and sends the TCP ACK to complete the TCP handshake. Any
TCP packet received before the handshake completion will be discarded.
Example
The following command sets the TCP intercept watch timeout setting to
5
seconds:
firewall tcp-syn-flood-intercept watch-timeout 5