TCP intercept features must be provided by the network device by implementing a filter to rate limit and protect publicly accessible servers from any TCP SYN flood attacks from an outside network.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3165	NET0960	SV-16143r3_rule		Medium

Description
The TCP SYN attack involves transmitting a volume of connections that cannot be completed at the destination. This attack causes the connection queues to fill up, thereby denying service to legitimate TCP users.

STIG	Date
Perimeter Router Security Technical Implementation Guide Cisco	2017-12-07

Details

Check Text ( C-3603r3_chk )
Review the device configuration to determine if TCP Intercept has been configured to mitigate TCP SYN Flood attacks. If TCP Intercept has not been implemented, this is a finding. CAVEAT: If the site has implemented SYN flood protection for the network using the perimeter firewall or IPS (or an IDS if it is configured to dynamically configure upstream router to block the attack), there is not an additional requirement to implement it on the router.

Check Text ( C-3603r3_chk )

Review the device configuration to determine if TCP Intercept has been configured to mitigate TCP SYN Flood attacks.

If TCP Intercept has not been implemented, this is a finding.

CAVEAT: If the site has implemented SYN flood protection for the network using the perimeter firewall or IPS (or an IDS if it is configured to dynamically configure upstream router to block the attack), there is not an additional requirement to implement it on the router.

Fix Text (F-3190r2_fix)
Configure the device to use TCP Intercept to protect against TCP SYN attacks from outside the network.