R21xx-HP FlexFabric 11900 Layer 3 IP Services Configuration Guide
117
3.
The sender receives the SYN ACK packet and replies with an ACK packet. A TCP connection is
established.
An attacker can exploit this mechanism to mount SYN Flood attacks. The attacker sends a large number
of SYN packets, but does not respond to the SYN ACK packets from the server. As a result, the server
establishes a large number of TCP semi-connections and can no longer handle normal services.
SYN Cookie can protect the server from SYN Flood attacks. When the server receives a SYN packet, it
responds with a SYN ACK packet without establishing a TCP semi-connection. The server establishes a
TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the client.
To enable TCP SYN Cookie:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable SYN Cookie.
tcp syn-cookie enable The default setting is disabled.
Configuring the TCP buffer size
Step Command Remarks
1. Enter system view.
system-view N/A
2. Configure the size of TCP receive/send
buffer.
tcp window window-size
The default buffer size is 64 KB.
Configuring TCP timers
You can configure the following TCP timers:
• SYN wait timer—TCP starts the SYN wait timer after sending a SYN packet. If no response packet
is received within the SYN wait timer interval, TCP fails to establish the connection.
• FIN wait timer—TCP starts the FIN wait timer when the state changes to FIN_WAIT_2. If no FIN
packet is received within the timer interval, TCP terminates the connection. If a FIN packet is
received, TCP changes connection state to TIME_WAIT. If a non-FIN packet is received, TCP restarts
the timer, and tears down the connection when the timer expires.
To configure TCP timers:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Configure TCP
timers.
• Configure the TCP SYN wait timer:
tcp timer syn-timeout time-value
• Configure the TCP FIN wait timer:
tcp timer fin-timeout time-value
By default:
• The TCP SYN wait timer is 75
seconds.
• The TCP FIN wait timer is 675
seconds.