You want to mitigate Denial of Service attacks by throttling half-open TCP connections.
You can configure a router to protect your servers against TCP SYN attacks by enabling the ip tcp intercept command:
Router1#configure terminal Router1(config)#
permit ip any host
ip tcp intercept list
ip tcp intercept max-incomplete high
ip tcp intercept one-minute high
ip tcp intercept max-incomplete low
ip tcp intercept one-minute low
This feature allows the router to take an active role in managing the TCP session initiation between a client and server. In the normal TCP call setup procedure, a client device sends a TCP SYN packet to start the session. The server then responds with a SYN-ACK, and the client’s next packet simply has the ACK flag set. Then the Layer 7 application information can start to flow. A relatively common denial of service attack involves sending large numbers of SYN packets, but never actually starting the session. This can fill up the server’s connection table with these so-called “half-open” TCP sessions, and eventually prevents any legitimate sessions from starting.
However, when you enable the TCP Intercept feature, the router doesn’t forward the initial SYN packet to the server. Instead, it responds directly to the client with a SYN-ACK packet, as if it were ...