TCP Intercept for DoS Attack Prevention (CCIE Notes)

TCP Intercept

  • It protects a TCP server from TCP SYN-flooding attacks (DoS) attacks.
  • It intercepts and validates TCP connection requests.
  • Establishes connection with the client on behalf of the destination server, and if successful, establishes a connection with the server on behalf of the client and knits the two half connections transparently.
  • Either all requests can be intercepted or those coming from specific networks or destined for specific servers.

Modes of Operation:

Intercept Mode

  • This is the default mode.
  • Performs a three-way handshake with the client, if successful, sends the original SYN packet to the destination server and performs a three-way handshake with the server.
  •  When this is completed, the two half connections are joined.

Watch mode

  • Connection requests are allowed to pass through the router to the server but are watched until they become established.
  • If requests fail to establish within 30 seconds (default), the software sends a reset request to the server to clear up its state.

TCP Intercept Aggressive Thresholds:

  • When the threshold goes above the high limit it enters the aggressive behavior.
  • When the threshold drops below the low limit it stops the aggressive behavior.
  • When in the aggressive mode, each newly arriving connection causes the oldest partial connection to be deleted (can change this behavior to random drop mode).
ip tcp intercept max-incomplete
  • Threshold for configuring the total number of incomplete connections
  • Default low is 900 and high is 1100
ip tcp intercept one-minute
  • Threshold for configuring the number of connection requests received in the last one-minute sample period.
  • Default low is 900 and high is 1100

Cisco Doc Link:


access-list 101 permit any any 
ip tcp intercept list 101
ip tcp intercept mode { intercept | watch }
ip tcp intercept drop-mode {oldest | random }
ip tcp intercept watch-timeout 400 (seconds)
ip tcp intercept finrst-timeout 50 (seconds)
ip tcp intercept connection-timeout 30
ip tcp intercept max-incomplete low 300 high 400
ip tcp intercept one-minute low 50 high 80


show tcp intercept connections
show tcp intercept statistics


Bookmark to follow my CCIE Security v4 journey ->

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s