R21xx-HP FlexFabric 11900 Layer 3 IP Services Command Reference

152

tcp syn-cookie enable

Use tcp syn-cookie enable to enable SYN Cookie to protect the device from SYN flood attacks.

Use undo tcp syn-cookie enable to disable SYN Cookie.

Syntax

tcp syn-cookie enable

undo tcp syn-cookie enable

Default

SYN Cookie is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

A TCP connection is established through a three-way handshake:

1. The sender sends a SYN packet to the server.

2. The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state,

and replies with a SYN ACK packet to the sender.

3. The sender receives the SYN ACK packet and replies with an ACK packet. Then, a TCP connection

is established.

An attacker can exploit this mechanism to mount SYN flood attacks. The attacker sends a large number

of SYN packets, but they do not respond to the SYN ACK packets from the server. As a result, the server

establishes a large number of TCP semi-connections and cannot handle normal services.

SYN Cookie can protect the server from SYN flood attacks. When the server receives a SYN packet, it

responds to the request with a SYN ACK packet without establishing a TCP semi-connection.

The server establishes a TCP connection and enters ESTABLISHED state only when it receives an ACK

packet from the sender.

Examples

# Enable SYN Cookie.

<Sysname> system-view

[Sysname] tcp syn-cookie enable

tcp timer fin-timeout

Use tcp timer fin-timeout to configure the TCP FIN wait timer.

Use undo tcp timer fin-timeout to restore the default.