You are currently viewing TCP Intercept Explained

TCP Intercept Explained

This article accompanies the demonstration video I have created below.

What is TCP Intercept?

TCP interception is a method used to protect against TCP SYN-flooding attacks. This is achieved by intercepting TCP connection requests (SYN packets) and verifying the connection before passing the original TCP SYN packet onto the destination.

How does it work?

The device configured for TCP interception establishes a connection with the client on behalf of the server. If the connection is successful i.e. the TCP 3-way handshake is successful, the software will establish a connection with the server by forming two transparent connections. The original SYN packet is passed onto the server and the 3-way handshake takes place and once this has been completed the session is established and the two half-connections are joined. (See video for demonstration)
TCP interception can operate in two modes, Intercept and Watch mode.
Intercept mode is on by default! In Intercept mode the device configured will intercept TCP SYN requests on behalf of the server. (Operation is as mentioned above)
In Watch mode, the TCP SYN connections are allowed to pass the configured device but these connections are watched to see if they become established. If connections are not established within the default allotted time of 30 seconds, the device sends a reset request to the server to clear the state.

How is TCP Intercept triggered?

The two factors that determine when TCP interception kicks into play are;
  1. The number of incomplete connections
  2. The number of connection requests
If the thresholds are exceeded TCP Interception assumes the device is under attack and goes into aggressive mode. Once in aggressive mode, every new packet will cause the oldest packet by default to be deleted. Configured timeouts are reduced by half too.

Configuration Example

Router#configure terminal
Router(config)# access-list 101 permit tcp any any
Router(config)# ip tcp intercept list 101
Router(config)# ip tcp intercept mode intercept – By default intercept mode is configured
Router(config)# ip tcp intercept drop-mode oldest – By default the software drops the oldest partial connectionRouter(config)# ip tcp intercept watch-timeout 100 – Changes the time allowed to reach established state (Waits for 30 seconds by default)
Router(config)# ip tcp intercept finrst-timeout 120 – Changes the time between receipt of a FIN-exchange or Reset and dropping the connection (Waits for 5 seconds by default)
Router(config)# ip tcp intercept connection-timeout 120 – Changes the time the software will manage a connection after no activity (Still manages the connection for 24 hours by default)
Modifying Thresholds
Router(config)# ip tcp intercept max-incomplete low 900 high 1100 – (Default values are 900-1100)
Router(config)# ip tcp intercept one-minute low 900 high 1100(Default values are 900-1100)



Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

Leave a Reply