You want to mitigate Denial of Service attacks by throttling half-open TCP connections.

You can configure a router to protect your servers against TCP SYN attacks by enabling the ip tcp intercept command:

Router1#configure terminal
Router1(config)#access-list 109 permit ip any host 192.168.99.2
Router1(config)#ip tcp intercept list 109
Router1(config)#ip tcp intercept max-incomplete high 10
Router1(config)#ip tcp intercept one-minute high 15
Router1(config)#ip tcp intercept max-incomplete low 5
Router1(config)#ip tcp intercept one-minute low 10
Router1(config)#end
Router1#

This feature allows the router to take an active role in managing the TCP session initiation between a client and server. In the normal TCP call setup procedure, a client device sends a TCP SYN packet to start the session. The server then responds with a SYN-ACK, and the client’s next packet simply has the ACK flag set. Then the Layer 7 application information can start to flow. A relatively common denial of service attack involves sending large numbers of SYN packets, but never actually starting the session. This can fill up the server’s connection table with these so-called “half-open” TCP sessions, and eventually prevents any legitimate sessions from starting.

However, when you enable the TCP Intercept feature, the router doesn’t forward the initial SYN packet to the server. Instead, it responds directly to the client with a SYN-ACK packet, as if it were ...