Login
- Table of Contents
-
- 07-Security Configuration Guide
- 00-Preface
- 01-Security Overview
- 02-AAA Configuration
- 03-802.1X Configuration
- 04-MAC Authentication Configuration
- 05-Portal Configuration
- 06-Port Security Configuration
- 07-User Profile Configuration
- 08-Password Control Configuration
- 09-Public Key Configuration
- 10-PKI Configuration
- 11-SSH Configuration
- 12-SSL Configuration
- 13-SSL VPN Configuration
- 14-TCP Attack Protection Configuration
- 15-ARP Attack Protection Configuration
- 16-IPsec Configuration
- 17-ALG Configuration
- 18-Firewall Configuration
- 19-Session Management Configuration
- 20-Web Filtering Configuration
- 21-User Isolation Configuration
- 22-Source IP Address Verification Configuration
- 23-FIPS Configuration
- 24-Protocol Packet Rate Limit Configuration
- 25-Attack detection and protection configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 14-TCP Attack Protection Configuration | 52.36 KB |
Configuring TCP attack protection
Overview
Attackers can attack the device during the process of TCP connection establishment. To prevent such attacks, the device provides the SYN Cookie feature.
Enabling the SYN Cookie feature
As a general rule, the establishment of a TCP connection involves the following three handshakes:
1. The request originator sends a SYN message to the target server.
2. After receiving the SYN message, the target server establishes a TCP connection in SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response.
3. After receiving the SYN ACK message, the originator returns an ACK message, establishing the TCP connection.
Attackers may mount SYN Flood attacks during TCP connection establishment. They send a large number of SYN messages to the server to establish TCP connections, but they never make any response to SYN ACK messages. As a result, a large number of incomplete TCP connections are established, resulting in heavy resource consumption and making the server unable to handle services correctly.
The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP connection request, the server directly returns a SYN ACK message, instead of establishing an incomplete TCP connection. The server can establish a connection only after receiving an ACK message from the client. The server then enters ESTABLISHED state. In this way, incomplete TCP connections can be avoided to protect the server against SYN Flood attacks.
To enable the SYN Cookie feature:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the SYN Cookie feature. |
tcp syn-cookie enable |
Enabled by default. |
If you enable MD5 authentication for TCP connections, the SYN Cookie configuration is ineffective. Then, if you disable MD5 authentication for TCP connections, the SYN Cookie configuration automatically becomes effective.
With the SYN Cookie feature enabled, only the maximum segment size (MSS) is negotiated during TCP connection establishment, instead of the window's zoom factor and timestamp.
Displaying TCP attack protection
|
Task |
Command |
Remarks |
|
Display current TCP connection state. |
display tcp status [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
