Manualshelf

R3166-R3206-HP High-End Firewalls System Management and Maintenance Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
11121314151617181920
12
Enabling the SYN Cookie feature
As a general rule, the establishment of a TCP connection involves the following three handshakes:
1. The request originator sends a SYN message to the target server.
2. After receiving the SYN message, the target server establishes a TCP connection in the
SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response.
3. After receiving the SYN ACK message, the originator returns an ACK message. Thus, the TCP
connection is established.
Attackers may mount SYN Flood attacks during TCP connection establishment. They send a large number
of SYN messages to the server to establish TCP connections, but they never make any response to SYN
ACK messages. As a result, a large amount of incomplete TCP connections are established, resulting in
heavy resource consumption and making the server unable to handle services normally.
The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP connection request, the
server directly returns a SYN ACK message, instead of establishing an incomplete TCP connection. Only
after receiving an ACK message from the client can the server establish a connection, and then enter the
ESTABLISHED state. In this way, large amounts of incomplete TCP connections could be avoided to
protect the server against SYN Flood attacks.
Follow these steps to enable the SYN Cookie feature:
To do... Use the command...
Remarks
Enter system view system-view
Enable the SYN Cookie feature tcp syn-cookie enable
Required
Disabled by default.
NOTE:
If MD5 authentication is enabled, the SYN Cookie feature will not function after enabled. Then, if you
disable MD5 authentication, the SYN Cookie feature will be enabled automatically.
With the SYN Cookie feature enabled, only the MSS, instead of the window’s zoom factor and
timestamp, is negotiated during TCP connection establishment.
Enabling protection against Naptha attacks
Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the
six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and
SYN_RECEIVED), and SYN Flood attacks by using only the SYN_RECEIVED state.
Naptha attackers control a huge amount of hosts to establish TCP connections with the server, keep these
connections in the same state (any of the six), and request for no data so as to exhaust the memory
resource of the server. As a result, the server cannot process normal services.
Protection against Naptha attacks reduces the risk of such attacks by accelerating the aging of TCP
connections in a state. After the feature is enabled, the device periodically checks the number of TCP
connections in each state. If it detects that the number of TCP connections in a state exceeds the
maximum number, it will accelerate the aging of TCP connections in this state.
Follow these steps to enable the protection against Naptha attack:
To do... Use the command...
Remarks
Enter system view system-view