Implementation Of Tcp Intercept Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Computer security is the process of preventing and detecting unauthorized use of your computer. Prevention measures help you to stop unauthorized users from accessing any part of your computer system. This project experiments DOS Attacks Prevention with TCP Intercept, Filtering Traffic Using Policy-Based Routing. In DOS Attacks Prevention with TCP Intercept the most common attack against Service Provider IP Networks is Denial of Service (DoS). This type of attack causes your computer to crash or to become so busy processing data that you are unable to use it, so a good way to protect your environment from that attacks is to use TCP Intercept feature. It is a feature on routers used to prevent and mitigate TCP SYN-flooding attacks by monitoring the rate of SYN packets and intervening inside the TCP communication whenever necessary in order to reduce the number of incomplete TCP connections. In Policy-Based Routing to Filter Traffic the IP packet filtering the ability to define what traffic is allowed into and out of each interface based on filters defined by the values of source and destination IP addresses, TCP and UDP port numbers, ICMP types and codes, and IP protocol numbers..

The exhibit shown below is the directions of configuration in which routers are directed as per the NAT scenario. The TCP intercept feature helps prevent SYN flooding by intercepting and validating TCP connection requests as they pass through a router which forwards them. The traffic match TCP connections to network port 80, then Configure TCP intercept to use access list, and random drop mode. Start and stop clamping half-open sessions when their number reaches between 1500 and 1200. Finally set inactive connection timeout to one hour. This paper discusses the Cisco IOS software policy-based routing feature and addresses policy-based routing and its functionality. The task is to permit small ICMP echo packets with L3 length up to 300 bytes and to Create route-map ICMP_CONTROL; with section 10 permit packets matching the access-list ICMP and having length 301-1500. Route this packets to Null0 interface Finally apply the route-map to the interfaces. Additionally the table shows TCP intercept go off when the client interact more ICMP packets.

The study analyze the advantage of policy based routing such as source-Based Transit Provider Selection, Quality of Service Load Sharing and also it is a tool for forwarding and routing data packets based on policies defined by network administrator. TCP intercept is used as a DoS prevention mechanism, or more specifically for SYN flooding. The procedure we used to experiment is Graphical Network Simulator (GNS3) that allows emulation of complex networks and runs operating systems in a virtual environment on your computer using Internetwork Operating Systems (IOS). The result of this experiment observed using various troubleshooting method. The study of this network lay concrete on to prevent the network from attack.


Include the introduction you prepared before


Filter Traffic using Policy Based Routing

With policy-based routing (which we will call PBR from here on out), you get the option to implement policies that selectively cause packets to take different paths. Additionally, PBR can mark packets so that certain types of traffic get prioritized.

PBR allows the network administrator to classify traffic using access control lists1 (ACLs) and then set the IP precedence or type of service (TOS) values, thereby tagging the packets with the defined classification.

How does policy based routing work?

If you look at the Cisco IOS Order of Operations, Policy routing always happens BEFORE regular routing. What policy routing does is to inspect the traffic on the interface where the policy is applied and then, based on the policy, make some decision. First, the traffic has to be identified "matched" according to the policy. Second, for each match, there is something "set". What is set could be that the traffic matches must exit out a different interface, or the traffic could be given a higher priority, or it could choose to just drop that traffic.

The "matching" of the traffic is usually done with an ACL (access-control list) that is referenced by a route-map. In the route-map, there is a "match" for the traffic defined in that ACL then a "set" for that traffic where the network administrator defines what he or she wants to happen to that traffic (prioritize it, route it differently, drop it, or other actions). Policies can be based on IP address, port numbers, protocols, or size of packets.

Implementation of TCP Intercept to prevent DOS attack:

The method to prevent DoS attacks is to limit on the network device ( network router) the amount of connection which is allowed to pass to a server by using  TCP Intercept. The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server. The software continues to intercept and forward packets throughout the duration of the connection.

In intercept mode, the router to intercept TCP simultaneous arrival of the request and on behalf of the server and client to establish the connection, if the connection is successful, on behalf of the client to establish connection with the server, and merge the two connections and transparent. During the entire link, the router will always be to intercept and send data packets. For the illegal connection request, the router provide a more rigorous time-out for the half-open limit in order to prevent their resources from being depleted SYN attack. In the surveillance mode, the router passively observe the connection requests flowing through the router, if the connection exceeds the configured set-up time, the router will shut down the connection.

Include some basic concepts



SYn Flood Attack

Dos Attack



Related Work

Review of Literature:


Policy-based routing is applied to incoming packets. All packets received on an interface with policy-based routing enabled are considered for policy-based routing The router passes the packets through enhanced packet filters called route maps. Based on the criteria defined in the route maps, packets are forwarded/routed to the appropriate next hop.

Classification of traffic through policy-based routing allows the network administrator to identify traffic for different classes of service at the perimeter of the network and then implement QOS defined for each class of service in the core of the network using priority, custom, or weighted fair queuing techniques. This process saves having to classify the traffic explicitly at each WAN interface in the core/backbone network.

(Policy-Based Routing, Copyright 1996 Cisco Systems, page: 2)

TCP Intercept is used to protect TCP services from TCP SYN flood attacks. In intercept mode takes a proactive approach to TCP SYN flood attacks, the router intercepts all TCP connection requests.

(DoS Protection, Richard Deal, page: 680)

The software actively intercepts each incoming connection request (SYN) and responds on behalf of the server with an SYN-ACK, then waits for an ACK from the client. When that ACK is received, the original SYN is sent to the server and the software performs a three-way handshake with the server. When this is complete, the two half-connections are joined.

(Configuring TCP Intercept Preventing Denial-of-Service Attacks ,2007)


In Policy Based Routing, we configure router to filter traffic based on packet length. To do that:

-Create extended access-list ICMP_ECHO and match ICMP echo packets

-Create route-map ICMP_CONTROL

-Permit packets matching the access-list ICMP and having length 301-1500

-Route the packet to Null0 interface

To create Policy Based Routing:

_ ip access-list extended ICMP_ECHO

_ permit icmp any any echo

Configure any ACLs, or any other match criteria that the route map may be using on the match commands. This should be done first,

_ router(config)#route-map map-tag {permit | deny} {sequence-number}

Explain: The map-tag is simply a name which is used to identify the specific route-map and the sequence-number is used to set the order that route-map statements are evaluated if multiple statements exist.

Purpose: Defines a route map to control where packets are output. This command puts the router into route-map configuration mode

_ router(config-route-map)#match length {minimum-length/maximum-length}

This command is used to match specific layer 3 packet sizes; this can be used to send packets of various sizes down different paths.

Purpose: Specifies the match criteria. Although there are many route-map matching options, here you can specify only length and/or ip address. If you do not specify a match command, the route map applies to all packets.

_ router(config-router-map)#set interface interface-type interface-number

Purpose: Specifies the interface, and puts the router into interface configuration mode.

_ Router(config-if)# ip policy route-map map-tag

Purpose: Identifies the route map to use for PBR. One interface can have only one route map tag; but you can have several route map entries, each with its own sequence number. Entries are evaluated in order of their sequence numbers until the first match occurs. If no match occurs, packets are routed as usual.

In second issue, which is TCP Intercept, we configure router to intercept all TCP connection. To do that:

- Create access-list 199 and match TCP connections to the network on

port 80

- Configure TCP intercept to use list 199, and random drop mode

- Start clamping half-open sessions when their number reaches 1500

- Stop clamping half-open sessions when their number reaches 1200

- Set inactive connection timeout to one hour

To implement TCP Intercept & its' Purpose:

Step 1: Router(config)# access-list access-list-number {deny | permit} tcp any destination destination-wildcard

Purpose: "To define an IP extended access list"

Step 2: Router(config)# ip tcp intercept list access-list-number

Purpose: "To enable TCP Intercept"

Explain the previous commands:

You can define an access list to intercept all requests or only those coming from specific networks or destined. The access list will define the source as any and define specific destination networks or servers. That is, you do not attempt to filter on the source addresses because you do not necessarily know who to intercept packets from. You identify the destination in order to protect destination servers. If no access list match is found, the router allows the request to pass with no further action.

Step 3: Router(config)# ip tcp intercept max-incomplete low number

Purpose: "To set the threshold for stopping aggressive mode. It defines the number of incomplete connections below which the software leaves aggressive mode. "

Step 4: Router(config)# ip tcp intercept max-incomplete high

Purpose: "To set the threshold for triggering aggressive mode. It defines the number of incomplete connections below which the software leaves aggressive mode."


The two factors that determine aggressive behavior are related and work together. When either of the high values is exceeded, aggressive behavior begins. When both quantities fall below the low value, aggressive behavior ends. You can change the threshold for triggering aggressive mode based on the total number of incomplete connections

Step 5: Router(config)# ip tcp intercept connection-timeout seconds

Purpose: "To change the time the software will manage a connection after no activity"


the software still manages a connection for 24 hours after no activity

Step 6: Router(config)# ip tcp intercept drop-mode random

Purpose: "To set the drop mode"


the software drops the oldest partial connection. Alternatively, you can configure the software to drop a random connection



Using the GNS3 program to implement the issues, however GNS3 is a graphical network simulator that allows simulation of complex networks. It is an open source software works on all types of systems, including Windows, Linux and Mac OS X ,In order to work needs to 3 important things:

First: The need to the Dynampis, which is the heart of the system that will simulate Cisco Systems through the simulation of the IOS

Second: the need to the Dynagen which is A link between the heart of the system Dynampis And the user are transferred via the command written to and from

Third: The program needs to WinPcap A program that captures and the transfer of the Packet In the network via a set of protocols.

Let us to know the toolbar of GNS Simulator:

1. To start a new project

2. To modify the project

3. To open a project stored on the device prior

4. To save the project

5. To save the project without the extension

6. To clean the topologies that we have designed

7. To show or hide the type and number of each interface to

8. To show or hide the name of each router

9. For the selection of the type of cable connection between the routers

10. To take a picture of topology and save

11. To import or export files numbers (startup-config)

12. To open a connection with a router by console

13. To run routers

14. Pause the Routers

15. Stop the router

16. To write on a topology

17. To put a certain image on a topology

18-19. To draw some shapes on the a topology

Write benefits of GNS3 with real time network

Findout how to connect GNS3 with the real time network

2.7200 Series Routers:

Using the special router name 7200 Series Routers which supports a wide range of density, performance, and service requirements

_Write more about this router features

Result and Interpretation

Please work on the experiment . find out how to get the result.

Find out the result of your topic experiment in the internet


Write 3 lines what you have understand from the both the problems