1. SYN flood attack wituout TCP Intercept
2. SYN flood attack wituout TCP Intercept(Intercept mode)
3. SYN flood attack wituout TCP Intercept(watch mode)

1. Apache respond immediately after ''[SYN]'', ''[SYN,ACK]'' seems we need ham client and exhaust more Apache resource.

network-security.acl.tcp-intercept.2rt.3sw.3node.1ext-conn.static.ac6665a0

- Topology Description: TCP Intercept
- Topology ID: ''0d4a0667-b035-4ac8-ba82-80c6057dd5d1''
- Design and Technology:
  - TCP Intercept
  - Routing Protocol
    - static
  - 2 routers
  - 3 servers
- Remarks: N/A

### Links

Cisco: TCP Intercept [PG1X WIKI]
https://pg1x.com/tech:network:cisco:security:network-security:acl:tcp-intercept:tcp-intercept

1. CML-P 2.0 Lab: network-security.acl.tcp-intercept.2rt.3sw.3node.1ext-conn.static.0d4a0667.yaml · master · CCIE Enterprise Infrastructure v1.0 / labs · GitLab
   1. Copy from network-security.acl.reflexive-acl.2rt.3sw.4node.1ext-conn.static.ac6665a0.yaml · master · CCIE Enterprise Infrastructure v1.0 / labs · GitLab
2. Topology diagram: topologies.vsdx · master · CCIE Enterprise Infrastructure v1.0 / My Documents · GitLab

Common Configuration Snippet

ubuntu-0

#cloud-config
password: cisco
chpasswd: { expire: False }
hostname: ubuntu-0
ssh_pwauth: True
ssh_authorized_keys:
   - ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIbn2VyO9Mby6BwkijQmGfH8O2+Uqewn0/oIOXOxMNgCZiztR3v2o5n1l9ET1GuN7iVMe9whoUiNuZMUVEv0INb+A6Yd0M/37tlWlC+qbIjjqL6UzJAqRISdGP1oVmnV2g== wnoguchi@lasthope.pg1x.net
package_upgrade: true
packages:
   - curl
   - vsftpd
   - ftp
   - iperf3
   - nc
   - bind-utils
write_files:
- path: /etc/netplan/51-cloud-init_static.yaml
  permissions: '0644'
  content: |
     network:
        version: 2
        ethernets:
           enp0s2:
              dhcp4: true
              dhcp6: true
              match:
                 name: enp0s2
           enp0s3:
              match:
                 name: enp0s3
              addresses:
                 - 10.1.1.254/24
              routes:
                 - to: 198.51.100.0/24
                   via: 10.1.1.1
                   metric: 0
                 - to: 203.0.113.0/24
                   via: 10.1.1.1
                   metric: 0
              #gateway4: 10.1.1.1
              #nameservers:
              #   addresses:
              #      - 8.8.8.8
runcmd:
   - [ sudo, netplan, generate ]
   - [ sudo, netplan, apply ]

ubuntu-1

#cloud-config
password: cisco
chpasswd: { expire: False }
hostname: ubuntu-1
ssh_pwauth: True
ssh_authorized_keys:
   - ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIbn2VyO9Mby6BwkijQmGfH8O2+Uqewn0/oIOXOxMNgCZiztR3v2o5n1l9ET1GuN7iVMe9whoUiNuZMUVEv0INb+A6Yd0M/37tlWlC+qbIjjqL6UzJAqRISdGP1oVmnV2g== wnoguchi@lasthope.pg1x.net
package_upgrade: true
packages:
   - hping3
   - curl
   - vsftpd
   - ftp
   - iperf3
   - nc
   - bind-utils
write_files:
- path: /etc/netplan/51-cloud-init_static.yaml
  permissions: '0644'
  content: |
     network:
        version: 2
        ethernets:
           enp0s2:
              dhcp4: true
              dhcp6: true
              match:
                 name: enp0s2
           enp0s3:
              match:
                 name: enp0s3
              addresses:
                 - 10.1.1.253/24
              routes:
                 - to: 198.51.100.0/24
                   via: 10.1.1.1
                   metric: 0
                 - to: 203.0.113.0/24
                   via: 10.1.1.1
                   metric: 0
              #gateway4: 10.1.1.1
              #nameservers:
              #   addresses:
              #      - 8.8.8.8
runcmd:
   - [ sudo, netplan, generate ]
   - [ sudo, netplan, apply ]

ubuntu-2

#cloud-config
password: cisco
chpasswd: { expire: False }
hostname: ubuntu-2
ssh_pwauth: True
ssh_authorized_keys:
   - ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIbn2VyO9Mby6BwkijQmGfH8O2+Uqewn0/oIOXOxMNgCZiztR3v2o5n1l9ET1GuN7iVMe9whoUiNuZMUVEv0INb+A6Yd0M/37tlWlC+qbIjjqL6UzJAqRISdGP1oVmnV2g== wnoguchi@lasthope.pg1x.net
package_upgrade: true
packages:
   - apache2
   - php
   - curl
   - vsftpd
   - ftp
   - iperf3
   - nc
   - bind-utils
write_files:
- path: /etc/netplan/51-cloud-init_static.yaml
  permissions: '0644'
  content: |
     network:
        version: 2
        ethernets:
           enp0s3:
              match:
                 name: enp0s3
              addresses:
                 - 198.51.100.252/24
              routes:
                 - to: 10.1.1.0/24
                   via: 198.51.100.2
                   metric: 0
                 - to: 203.0.113.0/24
                   via: 198.51.100.2
                   metric: 0
              #gateway4: 198.51.100.2
              #nameservers:
              #   addresses:
              #      - 8.8.8.8
runcmd:
   - [ sudo, netplan, generate ]
   - [ sudo, netplan, apply ]

R1

configure terminal
!
interface GigabitEthernet 0/0
 ip address 10.1.1.1 255.255.255.0
 no shutdown
interface GigabitEthernet 0/1
 ip address 203.0.113.1 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 203.0.113.2
!
end

R2

configure terminal
!
interface GigabitEthernet 0/0
 ip address 198.51.100.2 255.255.255.0
 no shutdown
interface GigabitEthernet 0/1
 ip address 203.0.113.2 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 203.0.113.1
!
end

• ubuntu-1 Attacker

ubuntu@ubuntu-0:~$ sudo apt search hping3
Sorting... Done
Full Text Search... Done
hping3/bionic 3.a2.ds2-7 amd64
  Active Network Smashing Tool

ubuntu@ubuntu-0:~$ sudo apt install hping3

man 8 hping3

• ubuntu-2 Apache Web Server

sudo apt install apache2

If ubuntu-2 is operational state, ubuntu-0 can get HTTP document.

• ubuntu-0 Normal Web Client

ubuntu@ubuntu-0:~$ time curl -I 198.51.100.252
HTTP/1.1 200 OK
Date: Sun, 27 Sep 2020 04:21:15 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Type: text/html; charset=UTF-8


real    0m0.013s
user    0m0.000s
sys     0m0.005s

ubuntu@ubuntu-2:~$ ss -antu
Netid       State         Recv-Q        Send-Q                                  Local Address:Port               Peer Address:Port
udp         UNCONN        0             0                                       127.0.0.53%lo:53                      0.0.0.0:*
udp         UNCONN        0             0                                  10.0.255.34%enp0s2:68                      0.0.0.0:*
udp         UNCONN        0             0                     [fe80::5054:ff:fe00:6ef]%enp0s2:546                        [::]:*
tcp         LISTEN        0             128                                     127.0.0.53%lo:53                      0.0.0.0:*
tcp         LISTEN        0             128                                           0.0.0.0:22                      0.0.0.0:*
tcp         LISTEN        0             128                                         127.0.0.1:6010                    0.0.0.0:*
tcp         ESTAB         0             96                                        10.0.255.34:22                   10.0.255.8:6933
tcp         LISTEN        0             128                                                 *:80                            *:*
tcp         LISTEN        0             128                                              [::]:22                         [::]:*
tcp         LISTEN        0             128                                             [::1]:6010                       [::]:*

• ubuntu-0

time curl -I 198.51.100.252

• ubuntu-1

sudo hping3 -I enp0s3 --spoof 10.1.1.123 --flood -S -p 80 198.51.100.252

• Wireshark Display Filter

tcp.port == 80

• ubuntu-2

tmux
top -d 1 -c
watch -n1 ss -antu
watch -n1 "ss -antu | fgrep SYN-RECV | wc -l "
sudo tail -f /var/log/apache2/error.log

ubuntu@ubuntu-2:~$ ss -antu | tail
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:1198
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:1186
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:15298
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:1187
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:1231
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:1202
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:1191
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:1234
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:16580
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:15376

ubuntu@ubuntu-0:~$ time curl -I 198.51.100.252
HTTP/1.1 200 OK
Date: Sun, 27 Sep 2020 05:09:22 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Type: text/html; charset=UTF-8


real    0m7.464s
user    0m0.008s
sys     0m0.000s

ip.addr == 10.1.1.254

Wireshark Packet Capture Result

try to curl CML-P outside environment with SYN flood attack

wnoguchi@LASTHOPE MINGW64 ~/Nextcloud/Documents/certification/cisco/ccie/enterprise-infrastructure-v1.0/pcap
$ time curl -I 10.0.255.34
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0HTTP/1.1 200 OK
Date: Sun, 27 Sep 2020 05:52:19 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Type: text/html; charset=UTF-8



real    0m0.040s
user    0m0.000s
sys     0m0.000s

ip.addr == 10.0.255.34 and tcp.port == 80

Hmmm, response is pretty much fast even if SYN flood attack situation.

ubuntu@ubuntu-2:~$ free -m
              total        used        free      shared  buff/cache   available
Mem:           1993         111        1455           2         425        1736
Swap:             0           0           0

resource is not busy.
reponse time late is come from router spec limitation.

OK. Increase Apache resource limitation

sudo vim /etc/apache2/mods-available/mpm_prefork.conf

/etc/apache2/mods-available/mpm_prefork.conf

<IfModule mpm_prefork_module>
        StartServers                     5
        MinSpareServers           5
        MaxSpareServers          10
        MaxRequestWorkers         150
        MaxConnectionsPerChild   0
</IfModule>

change to

/etc/apache2/mods-available/mpm_prefork.conf

<IfModule mpm_prefork_module>
        StartServers                     5
        MinSpareServers           5
        MaxSpareServers          1000
        MaxRequestWorkers         150
        MaxConnectionsPerChild   0
</IfModule>

sudo apachectl configtest
sudo systemctl restart apache2

net.core.somaxconn
net.ipv4.tcp_max_syn_backlog

root@ubuntu-2:~# cat /proc/sys/net/core/somaxconn
128
root@ubuntu-2:~# echo 8192 >/proc/sys/net/core/somaxconn
root@ubuntu-2:~# cat /proc/sys/net/core/somaxconn
8192

root@ubuntu-2:~# cat /proc/sys/net/ipv4/tcp_max_syn_backlog
128
root@ubuntu-2:~# echo 8192 >/proc/sys/net/ipv4/tcp_max_syn_backlog
root@ubuntu-2:~# cat /proc/sys/net/ipv4/tcp_max_syn_backlog
8192

root@ubuntu-2:~# vim /etc/sysctl.conf
root@ubuntu-2:~# sysctl -p
net.core.somaxconn = 10000000
net.ipv4.tcp_max_syn_backlog = 10000000

systemctl reastart apache2

/etc/apache2/conf-available/synflood.conf

ListenBacklog 10000000

a2enconf synflood
systemctl restart apache2

ready…. but seems no effect….

• R2

configure terminal
!
access-list 101 permit tcp any 198.51.100.0 0.0.0.255
!
ip tcp intercept list 101
!
! default mode
ip tcp intercept mode intercept
!
interface GigabitEthernet 0/1
 ip access-group 101 in
!
end

• R2

debug ip tcp intercept

• ubuntu-1

curl 198.51.100.252
sudo hping3 -I enp0s3 -i 60 -S -p 80 198.51.100.252

ubuntu@ubuntu-1:~$ curl 198.51.100.252
hello
ubuntu@ubuntu-1:~$ sudo hping3 -I enp0s3 -i 1800 -S -p 80 198.51.100.252
HPING 198.51.100.252 (enp0s3 198.51.100.252): S set, 40 headers + 0 data bytes
len=40 ip=198.51.100.252 ttl=254 id=26 sport=80 flags=SA seq=0 win=0 rtt=4.8 ms
DUP! len=40 ip=198.51.100.252 ttl=254 id=27 sport=80 flags=SA seq=0 win=0 rtt=1012.7 ms
DUP! len=40 ip=198.51.100.252 ttl=254 id=28 sport=80 flags=SA seq=0 win=0 rtt=3012.9 ms
DUP! len=40 ip=198.51.100.252 ttl=254 id=29 sport=80 flags=SA seq=0 win=0 rtt=7012.4 ms
DUP! len=40 ip=198.51.100.252 ttl=254 id=30 sport=80 flags=SA seq=0 win=0 rtt=15012.6 ms
DUP! len=40 ip=198.51.100.252 ttl=254 id=31 sport=80 flags=RA seq=0 win=0 rtt=31045.0 ms

ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -i enp0s3 tcp and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
22:18:16.752606 IP 10.1.1.253.45884 > ubuntu-2.http: Flags [S], seq 2425271359, win 64240, options [mss 1460,sackOK,TS val 2690830912 ecr 0,nop,wscale 7], length 0
22:18:16.752634 IP ubuntu-2.http > 10.1.1.253.45884: Flags [S.], seq 2886572594, ack 2425271360, win 65160, options [mss 1460,sackOK,TS val 3020441364 ecr 2690830912,nop,wscale 7], length 0
22:18:16.754379 IP 10.1.1.253.45884 > ubuntu-2.http: Flags [.], ack 1, win 64240, length 0
22:18:16.758406 IP 10.1.1.253.45884 > ubuntu-2.http: Flags [P.], seq 1:79, ack 1, win 64240, length 78: HTTP: GET / HTTP/1.1
22:18:16.758430 IP ubuntu-2.http > 10.1.1.253.45884: Flags [.], ack 79, win 509, options [nop,nop,TS val 3020441370 ecr 2690830912], length 0
22:18:16.758667 IP ubuntu-2.http > 10.1.1.253.45884: Flags [P.], seq 1:154, ack 79, win 509, options [nop,nop,TS val 3020441370 ecr 2690830912], length 153: HTTP: HTTP/1.1 200 OK
22:18:16.762472 IP 10.1.1.253.45884 > ubuntu-2.http: Flags [.], ack 154, win 64087, length 0

ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -nni enp0s3 tcp and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
22:20:56.463058 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [S], seq 3648753164, win 64240, options [mss 1460,sackOK,TS val 2690990623 ecr 0,nop,wscale 7], length 0
22:20:56.463112 IP 198.51.100.252.80 > 10.1.1.253.45886: Flags [S.], seq 377875477, ack 3648753165, win 65160, options [mss 1460,sackOK,TS val 3020601075 ecr 2690990623,nop,wscale 7], length 0
22:20:56.465868 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [.], ack 1, win 64240, length 0
22:20:56.468652 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [P.], seq 1:79, ack 1, win 64240, length 78: HTTP: GET / HTTP/1.1
22:20:56.468668 IP 198.51.100.252.80 > 10.1.1.253.45886: Flags [.], ack 79, win
509, options [nop,nop,TS val 3020601080 ecr 2690990623], length 0
22:20:56.468932 IP 198.51.100.252.80 > 10.1.1.253.45886: Flags [P.], seq 1:154,
ack 79, win 509, options [nop,nop,TS val 3020601080 ecr 2690990623], length 153: HTTP: HTTP/1.1 200 OK
22:20:56.474064 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [.], ack 154, win 64087, length 0
22:20:56.474913 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [F.], seq 79, ack 154, win 64087, length 0
22:20:56.474953 IP 198.51.100.252.80 > 10.1.1.253.45886: Flags [F.], seq 154, ack 80, win 509, options [nop,nop,TS val 3020601086 ecr 2690990623], length 0
22:20:56.478772 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [.], ack 155, win 64086, length 0
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -nni enp0s3 tcp and port 80

ubuntu@ubuntu-1:~$ sudo hping3 -I enp0s3 -i 1800 -S -p 80 198.51.100.252
HPING 198.51.100.252 (enp0s3 198.51.100.252): S set, 40 headers + 0 data bytes
len=40 ip=198.51.100.252 ttl=254 id=36 sport=80 flags=SA seq=0 win=0 rtt=5.4 ms
DUP! len=40 ip=198.51.100.252 ttl=254 id=37 sport=80 flags=SA seq=0 win=0 rtt=1013.5 ms
DUP! len=40 ip=198.51.100.252 ttl=254 id=38 sport=80 flags=SA seq=0 win=0 rtt=3021.4 ms

R2#debug ip tcp intercept 
TCP intercept debugging is on
R2#
*Sep 30 22:12:41.251: INTERCEPT: new connection (10.1.1.253:2592 SYN -> 198.51.100.252:80)
*Sep 30 22:12:41.252: INTERCEPT(*): (10.1.1.253:2592 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:12:42.252: INTERCEPT(*): SYNRCVD retransmit 1 (10.1.1.253:2592 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:12:44.253: INTERCEPT(*): SYNRCVD retransmit 2 (10.1.1.253:2592 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:12:48.252: INTERCEPT(*): SYNRCVD retransmit 3 (10.1.1.253:2592 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:12:56.252: INTERCEPT(*): SYNRCVD retransmit 4 (10.1.1.253:2592 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:13:12.251: INTERCEPT: SYNRCVD retransmitting too long (10.1.1.253:2592 <-> 198.51.100.252:80)
*Sep 30 22:13:12.252: INTERCEPT(*): (10.1.1.253:2592 <- RST 198.51.100.252:80)
R2#
*Sep 30 22:13:41.002: INTERCEPT: new connection (10.1.1.253:2593 SYN -> 198.51.100.252:80)
*Sep 30 22:13:41.003: INTERCEPT(*): (10.1.1.253:2593 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:13:42.002: INTERCEPT(*): SYNRCVD retransmit 1 (10.1.1.253:2593 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:13:44.002: INTERCEPT(*): SYNRCVD retransmit 2 (10.1.1.253:2593 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:13:48.002: INTERCEPT(*): SYNRCVD retransmit 3 (10.1.1.253:2593 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:13:56.003: INTERCEPT(*): SYNRCVD retransmit 4 (10.1.1.253:2593 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:14:03.915: INTERCEPT: new connection (10.1.1.253:45882 SYN -> 198.51.100.252:80)
*Sep 30 22:14:03.916: INTERCEPT(*): (10.1.1.253:45882 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:14:03.918: INTERCEPT: 1st half of connection is established (10.1.1.253:45882 ACK -> 198.51.100.252:80)
*Sep 30 22:14:03.920: INTERCEPT(*): (10.1.1.253:45882 SYN -> 198.51.100.252:80)
*Sep 30 22:14:03.920: INTERCEPT: 2nd half of connection established  (10.1.1.253:45882 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:14:03.921: INTERCEPT(*): (10.1.1.253:45882 ACK -> 198.51.100.252:80)
*Sep 30 22:14:03.922: INTERCEPT(*): (10.1.1.253:45882 <- WINDOW 198.51.100.252:80)
R2#
*Sep 30 22:14:08.930: INTERCEPT: ESTAB timing out (10.1.1.253:45882 <-> 198.51.100.252:80)
R2#
*Sep 30 22:14:12.002: INTERCEPT: SYNRCVD retransmitting too long (10.1.1.253:2593 <-> 198.51.100.252:80)
*Sep 30 22:14:12.003: INTERCEPT(*): (10.1.1.253:2593 <- RST 198.51.100.252:80)
R2#
*Sep 30 22:18:00.977: INTERCEPT: new connection (10.1.1.253:45884 SYN -> 198.51.100.252:80)
*Sep 30 22:18:00.977: INTERCEPT(*): (10.1.1.253:45884 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:18:00.979: INTERCEPT: 1st half of connection is established (10.1.1.253:45884 ACK -> 198.51.100.252:80)
*Sep 30 22:18:00.979: INTERCEPT(*): (10.1.1.253:45884 SYN -> 198.51.100.252:80)
*Sep 30 22:18:00.980: INTERCEPT: 2nd half of connection established  (10.1.1.253:45884 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:18:00.980: INTERCEPT(*): (10.1.1.253:45884 ACK -> 198.51.100.252:80)
*Sep 30 22:18:00.981: INTERCEPT(*): (10.1.1.253:45884 <- WINDOW 198.51.100.252:80)
R2#
*Sep 30 22:18:05.990: INTERCEPT: ESTAB timing out (10.1.1.253:45884 <-> 198.51.100.252:80)
R2#
*Sep 30 22:18:42.855: INTERCEPT: new connection (10.1.1.253:2753 SYN -> 198.51.100.252:80)
*Sep 30 22:18:42.856: INTERCEPT(*): (10.1.1.253:2753 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:18:43.856: INTERCEPT(*): SYNRCVD retransmit 1 (10.1.1.253:2753 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:18:45.856: INTERCEPT(*): SYNRCVD retransmit 2 (10.1.1.253:2753 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:18:49.856: INTERCEPT(*): SYNRCVD retransmit 3 (10.1.1.253:2753 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:18:57.856: INTERCEPT(*): SYNRCVD retransmit 4 (10.1.1.253:2753 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:19:13.855: INTERCEPT: SYNRCVD retransmitting too long (10.1.1.253:2753 <-> 198.51.100.252:80)
*Sep 30 22:19:13.856: INTERCEPT(*): (10.1.1.253:2753 <- RST 198.51.100.252:80)
R2#
*Sep 30 22:20:39.984: INTERCEPT: new connection (10.1.1.253:45886 SYN -> 198.51.100.252:80)
*Sep 30 22:20:39.985: INTERCEPT(*): (10.1.1.253:45886 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:20:39.987: INTERCEPT: 1st half of connection is established (10.1.1.253:45886 ACK -> 198.51.100.252:80)
*Sep 30 22:20:39.987: INTERCEPT(*): (10.1.1.253:45886 SYN -> 198.51.100.252:80)
*Sep 30 22:20:39.988: INTERCEPT: 2nd half of connection established  (10.1.1.253:45886 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:20:39.988: INTERCEPT(*): (10.1.1.253:45886 ACK -> 198.51.100.252:80)
*Sep 30 22:20:39.989: INTERCEPT(*): (10.1.1.253:45886 <- WINDOW 198.51.100.252:80)
R2#
*Sep 30 22:20:44.997: INTERCEPT: ESTAB timing out (10.1.1.253:45886 <-> 198.51.100.252:80)
R2#
*Sep 30 22:21:36.388: INTERCEPT: new connection (10.1.1.253:2358 SYN -> 198.51.100.252:80)
*Sep 30 22:21:36.388: INTERCEPT(*): (10.1.1.253:2358 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:21:37.389: INTERCEPT(*): SYNRCVD retransmit 1 (10.1.1.253:2358 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:21:39.389: INTERCEPT(*): SYNRCVD retransmit 2 (10.1.1.253:2358 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:21:43.389: INTERCEPT(*): SYNRCVD retransmit 3 (10.1.1.253:2358 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:21:51.389: INTERCEPT(*): SYNRCVD retransmit 4 (10.1.1.253:2358 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:22:07.388: INTERCEPT: SYNRCVD retransmitting too long (10.1.1.253:2358 <-> 198.51.100.252:80)
*Sep 30 22:22:07.388: INTERCEPT(*): (10.1.1.253:2358 <- RST 198.51.100.252:80)
R2#

• R2

configure terminal
!
access-list 101 permit tcp any 198.51.100.0 0.0.0.255
!
ip tcp intercept list 101
!
! default mode
ip tcp intercept mode watch
!
interface GigabitEthernet 0/1
 ip access-group 101 in
!
end

• ubuntu-1

curl 198.51.100.252
sudo hping3 -I enp0s3 -i 60 -S -p 80 198.51.100.252

R2#
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip tcp inter
R2(config)#ip tcp intercept mo
R2(config)#ip tcp intercept mode wa
R2(config)#ip tcp intercept mode watch 
R2(config)#end
R2#
*Sep 30 22:24:30.022: %SYS-5-CONFIG_I: Configured from console by console
R2#
R2#
R2#
R2#
R2#
R2#
R2#
R2#
R2#
R2#
R2#
*Sep 30 22:26:08.176: INTERCEPT: new connection (10.1.1.253:45888 SYN -> 198.51.100.252:80)
*Sep 30 22:26:08.177: INTERCEPT: (10.1.1.253:45888 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:26:08.181: INTERCEPT: (10.1.1.253:45888 ACK -> 198.51.100.252:80)
R2#

ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -nni enp0s3 tcp and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
22:26:26.644561 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [S], seq 3649025256, win 64240, options [mss 1460,sackOK,TS val 2691320807 ecr 0,nop,wscale 7], length 0
22:26:26.644587 IP 198.51.100.252.80 > 10.1.1.253.45888: Flags [S.], seq 676254311, ack 3649025257, win 65160, options [mss 1460,sackOK,TS val 3020931256 ecr 2691320807,nop,wscale 7], length 0
22:26:26.650334 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 2691320812 ecr 3020931256], length 0
22:26:26.652239 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [P.], seq 1:79, ack 1, win 502, options [nop,nop,TS val 2691320812 ecr 3020931256], length 78: HTTP: GET / HTTP/1.1
22:26:26.652276 IP 198.51.100.252.80 > 10.1.1.253.45888: Flags [.], ack 79, win
509, options [nop,nop,TS val 3020931264 ecr 2691320812], length 0
22:26:26.652672 IP 198.51.100.252.80 > 10.1.1.253.45888: Flags [P.], seq 1:154,
ack 79, win 509, options [nop,nop,TS val 3020931264 ecr 2691320812], length 153: HTTP: HTTP/1.1 200 OK
22:26:26.655754 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [.], ack 154, win 501, options [nop,nop,TS val 2691320819 ecr 3020931264], length 0
22:26:26.655777 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [F.], seq 79, ack 154, win 501, options [nop,nop,TS val 2691320819 ecr 3020931264], length 0
22:26:26.655803 IP 198.51.100.252.80 > 10.1.1.253.45888: Flags [F.], seq 154, ack 80, win 509, options [nop,nop,TS val 3020931267 ecr 2691320819], length 0
22:26:26.659524 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [.], ack 155, win 501, options [nop,nop,TS val 2691320823 ecr 3020931267], length 0
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -nni enp0s3 tcp and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes

ubuntu@ubuntu-1:~$ sudo hping3 -I enp0s3 -i 1800 -S -p 80 198.51.100.252
HPING 198.51.100.252 (enp0s3 198.51.100.252): S set, 40 headers + 0 data bytes
len=44 ip=198.51.100.252 ttl=62 DF id=0 sport=80 flags=SA seq=0 win=64240 rtt=13.3 ms

ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -nni enp0s3 tcp and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
22:30:00.444812 IP 10.1.1.253.2879 > 198.51.100.252.80: Flags [S], seq 1140506343, win 512, length 0
22:30:00.444840 IP 198.51.100.252.80 > 10.1.1.253.2879: Flags [S.], seq 283107734, ack 1140506344, win 64240, options [mss 1460], length 0
22:30:00.450001 IP 10.1.1.253.2879 > 198.51.100.252.80: Flags [R], seq 1140506344, win 0, length 0
22:30:30.648045 IP 10.1.1.253.2879 > 198.51.100.252.80: Flags [R.], seq 1, ack 1, win 0, length 0

R2#
*Sep 30 22:29:40.920: INTERCEPT: new connection (10.1.1.253:2879 SYN -> 198.51.100.252:80)
*Sep 30 22:29:40.921: INTERCEPT: (10.1.1.253:2879 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:30:10.920: INTERCEPT: SYNRCVD timing out (10.1.1.253:2879 <-> 198.51.100.252:80)
*Sep 30 22:30:10.921: INTERCEPT(*): (10.1.1.253:2879 RST -> 198.51.100.252:80)
R2#

Wireshark Packet Capture Result

R1-R2

R2-SW1

1. TCPインターセプト - コンフィグ設定
2. hping3コマンドの使い方 - Qiita
3. SYN Flood Attackを手元のPCで検証する方法 | mio.yokohama
4. sockets - hping send SYN: how not to send RST after receiving SYN/ACK? - Stack Overflow
5. Linux 素人でも出来るカーネルチューニングで性能UP｜ギブ＆テイクSE｜note
6. 負荷が低いのにアクセスを捌けきれない時の対応 - Carpe Diem
7. backlog の実験 - computerの日記
8. Cisco IOS TCP intercept watch modeの設定 | ネットワークチェンジニアとして