Wednesday, April 24, 2013

Lab 220 - TCP Intercept

Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
There are web servers in Vlan 215 which have been attacked using TCP Syn Flood method. The attack comes from networks connected to BB1.

Configure protection against this attack on R3 but ensure that R3 is passively monitoring session establishment. It should not act as a TCP proxy server.
Ensure that R3 starts aggressive mode (dropping connections) when it reaches 4000 sessions and leaves aggressive mode when it reaches 3000 connections.
Also ensure that R3 starts resetting sessions if it reaches 400 connections per minute. It should leave aggressive mode when the number of connections per minute reaches 300.

Solution

Task 1
There are web servers in Vlan 215 which have been attacked using TCP Syn Flood method. The attack comes from networks connected to BB1.

Configure protection against this attack on R3 but ensure that R3 is passively monitoring session establishment. It should not act as a TCP proxy server.
Ensure that R3 starts aggressive mode (dropping connections) when it reaches 4000 sessions and leaves aggressive mode when it reaches 3000 connections.
Also ensure that R3 starts resetting sessions if it reaches 400 connections per minute. It should leave aggressive mode when the number of connections per minute reaches 300.

R3 Config:
!
ip access-list extended WEB_VLAN215
 permit tcp any 172.16.215.0 0.0.0.255 eq www
!

ip tcp intercept list WEB_VLAN215
ip tcp intercept max-incomplete low 3000
ip tcp intercept max-incomplete high 4000
ip tcp intercept one-minute low 300
ip tcp intercept one-minute high 400
ip tcp intercept mode watch

!

Verification:
show tcp intercept connections
show tcp intercept statistics