36-6
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
OL-4266-08
Chapter 36 Configuring Denial of Service Protection
Understanding How DoS Protection Works
After you enable uRPF check on an interface (per-VLAN basis), the incoming packet is compared to the
CEF tables through a reverse lookup. If the packet is received from one of the reverse path routes, the
packet is forwarded. If there is no reverse path route on the interface on which the packet was received,
the packet fails the uRPF check and is either dropped or forwarded, depending on whether an ACL is
applied to the uRPF check fail traffic. If no ACL is specified in the CEF tables, then the forged packets
are immediately dropped.
You can only specify an ACL for the uRPF check for packets that fail the uRPF check. The ACL checks
whether the packet should immediately be dropped or forwarded. The uRPF check with ACL is not
supported in any PFC3 in hardware. Packets that are denied in the uRPF ACL are forwarded in hardware.
Packets that are permitted are sent to the CPU.
The uRPF check with a PFC2 is supported in hardware but with only one return path. However, all
packets that fail the uRPF check, and are forwarded because of an applied ACL, can be sent and rate
limited to the MSFC to generate ICMP unreachable messages; these actions are all software driven. The
uRPF check in hardware is supported for routes with up to two return paths (interfaces) and up to six
return paths with interface groups configured (two from the FIB table and four from the interface groups)
TCP Intercept
TCP intercept protects recipients of TCP traffic from TCP SYN-flooding DoS attacks. A normal TCP
connection starts with a three-way handshake. Host A sends a SYN request to Host B requesting the start
of a new TCP session. Host B responds with a SYN ACK acknowledging the receipt of the SYN request.
Host A then returns an ACK for Host B’s SYN ACK, and the session commences. A SYN-flooding
attack occurs when hackers flood servers with requests for connections that have unreachable return
addresses. The three-way handshake is never completed, and the connections cannot be established. The
amount of session requests to which the server host is responding can overwhelm the server host and
prevent legitimate users from connecting to legitimate services, such as web sites and email servers.
TCP intercept prevents the SYN flooding by intercepting and validating TCP requests. TCP intercept
supports the following modes:
•
Intercept mode—The TCP intercept software intercepts TCP synchronization (SYN) packets from
clients to servers that match an extended access list. The software establishes a connection with the
client on behalf of the destination server, and if successful, establishes the connection with the
server on behalf of the client and connects the two half-connections together transparently.
Connection attempts from unreachable hosts will never reach the server. The software continues to
intercept and forward packets throughout the duration of the connection.
In the case of illegitimate requests from potential hackers, the software’s aggressive timeouts on
half-open connections and its thresholds on TCP connection requests protect destination servers
while still allowing valid requests. When establishing the network security policy using TCP
intercept, you can choose to intercept all requests or only those coming from specific networks or
destined for specific servers. You also can configure the connection rate and threshold of
outstanding connections.
•
Watch mode—The software passively watches the connection requests flowing through the router.
If a connection fails to get established in a configurable interval, the software intervenes and
terminates the connection attempt.
Because TCP intercept can operate in either active intercept mode or passive watch mode, it is important
to decide which mode is suitable for the network, and to configure your network accordingly. TCP
intercept is hardware-assisted on the PFC2 and PFC3 (all types). Configuring many sources and
destinations for active intercept mode may overrun the CPU, so it is recommended that only critical
servers be protected with active intercept mode.