Am I being Dos'd?

[Opus00]

I'm not too familiar with these things, but if someone was being flooded by 10,000 connections, wouldn't that overload the TCP Intercept and in essence satisfy the DoS attack as well?

This is how the SYN attack works. The tcp 3 way hand shake. remote sends a SYN, you send a SYN/ACK back and wait for a period of time(3 seconds) if you do not get an ACK back, you resend the SYN/ACK and wait,(now 6 seconds) This happens about 4 times, holding a socket open for apprximately a minute or so.

Now if you receive 10,000 SYN's eventually all of your file descriptors for sockets get used up and can no longer service sockets.

What TCP Intercept does is keep track of the number of opened connections(those without a corresponding ACK). IF any IP sends lets say 5 open connections and does not receive an ACK , TCP Intercept will no longer accept connections from that IP and will not use any more resources for that IP.(I think the term Cisco uses for this is embryonic or something close to that)

Now if it is 10,000 connections from 10,000 different IPs, TCP intercept only sees 1 open connection from each IP and will not shun them until the limit of 5 open connections are seen whith would then need to be 50,000 connections and you are toast by then anyways