Cisco Cisco Packet Data Gateway (PDG) Leaflet
Firewall-and-NAT Policy Configuration Mode Commands
firewall tcp-syn-flood-intercept ▀
Cisco ASR 5x00 Command Line Interface Reference ▄
4855
watch-timeout intercept_watch_timeout
Specifies the TCP intercept watch timeout, in seconds.
intercept_watch_timeout
must be an integer from 5 through 30.
Default: 30
Usage
This TCP intercept functionality provides protection against TCP SYN Flooding attacks. This command
enables and configures TCP intercept parameters to prevent TCP SYN flooding attacks by intercepting and
validating TCP connection requests for DoS protection mechanism configured with the
enables and configures TCP intercept parameters to prevent TCP SYN flooding attacks by intercepting and
validating TCP connection requests for DoS protection mechanism configured with the
dos-protection
command.
The system captures TCP SYN requests and responds with TCP SYN-ACKs. If a connection initiator
completes the handshake with a TCP ACK, the TCP connection request is considered as valid by system and
system forwards the initial TCP SYN to the valid target which triggers the target to send a TCP SYN-ACK.
Now system intercepts with TCP SYN-ACK and sends the TCP ACK to complete the TCP handshake. Any
TCP packet received before the handshake completion will be discarded.
The system captures TCP SYN requests and responds with TCP SYN-ACKs. If a connection initiator
completes the handshake with a TCP ACK, the TCP connection request is considered as valid by system and
system forwards the initial TCP SYN to the valid target which triggers the target to send a TCP SYN-ACK.
Now system intercepts with TCP SYN-ACK and sends the TCP ACK to complete the TCP handshake. Any
TCP packet received before the handshake completion will be discarded.
Example
The following command sets the intercept watch timeout setting to
15
seconds:
firewall tcp-syn-flood-intercept watch-timeout 15