Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
1
Replies

TCP Intercept Configuration

Go to solution
andrew.lynn
Level 1
Level 1

‎05-12-2016 12:55 PM - edited ‎03-10-2019 12:39 AM

We currently have a set of Cisco 2900 series routers (2911, I believe) that handle our primary traffic. We've been subjected to a few DDoS attacks, but have worked to get a resolution on the UDP side. We're also currently looking into an alternate IPS solution that should give us better protection against both UDP and TCP based attacks. In the interim, I'm considering options that would help limit our vulnerability to TCP based attacks - TCP Intercept is one of those options.

From what I've read so far, I should be able to configure this on my 2900's. My question is: is there any risk associated with configuring this on these routers since they used for a primary connection into one of our datacenters? In the past, we've experienced attacks >10Gb against this 1Gb tunnel. I assume that if we get hit with anything that significant the TCP intercept probably won't help much as the router CPU is likely to peg out (unless I'm wrong about that)? Again, this would only be a short-term option until a better solution is put in place.

Thanks in advance,

Andrew

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎05-12-2016 10:37 PM

If you get hit with 10Gb/s of traffic and you have a 1Gb/s pipe nothing you can do on your end will make any difference.  You would need help on the service provider side of the pipe to address it.

I don't believe a 2911 has sufficient CPU punch to process TCP intercepts at 1Gb/s - or even get slightly close.  So yes, I think the CPU will well and truly peg out.

So in short, I agree with all your thoughts.

I would be looking at a Cisco ASA 5516 Firepower bundle, with some Firepower licences.  Actually, maybe you should just jump directly to the 5555 Firepower bundle so you have plenty of horsepower to spare to deal with these attacks.  The 5516 would be pegged out if it got smashed with that much attack traffic.

https://apps.cisco.com/ccw/cpc/guest/content/ucsSeriesDetails/series_asa5500

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎05-12-2016 10:37 PM

If you get hit with 10Gb/s of traffic and you have a 1Gb/s pipe nothing you can do on your end will make any difference.  You would need help on the service provider side of the pipe to address it.

I don't believe a 2911 has sufficient CPU punch to process TCP intercepts at 1Gb/s - or even get slightly close.  So yes, I think the CPU will well and truly peg out.

So in short, I agree with all your thoughts.

I would be looking at a Cisco ASA 5516 Firepower bundle, with some Firepower licences.  Actually, maybe you should just jump directly to the 5555 Firepower bundle so you have plenty of horsepower to spare to deal with these attacks.  The 5516 would be pegged out if it got smashed with that much attack traffic.

https://apps.cisco.com/ccw/cpc/guest/content/ucsSeriesDetails/series_asa5500

0 Helpful
Customers Also Viewed These Support Documents