R0106-HP MSR Router Series Layer 3 - IP Services Command Reference(V7)
229
Syntax
tcp syn-cookie enable
undo tcp syn-cookie enable
Default
SYN Cookie is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
A TCP connection is established through a three-way handshake:
1. The sender sends a SYN packet to the server.
2. The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state,
and replies with a SYN ACK packet to the sender.
3. The sender receives the SYN ACK packet and replies with an ACK packet. Then, a TCP connection
is established.
An attacker can exploit this mechanism to mount SYN flood attacks. The attacker sends a large number
of SYN packets, but they do not respond to the SYN ACK packets from the server. As a result, the server
establishes a large number of TCP semi-connections and cannot handle normal services.
SYN Cookie can protect the server from SYN flood attacks. When the server receives a SYN packet, it
responds to the request with a SYN ACK packet without establishing a TCP semi-connection.
The server establishes a TCP connection and enters ESTABLISHED state only when it receives an ACK
packet from the sender.
Examples
# Enable SYN Cookie.
<Sysname> system-view
[Sysname] tcp syn-cookie enable
tcp timer fin-timeout
Use tcp timer fin-timeout to configure the TCP FIN wait timer.
Use undo tcp timer fin-timeout to restore the default.
Syntax
tcp timer fin-timeout time-value
undo tcp timer fin-timeout
Default
The TCP FIN wait timer is 675 seconds.
Views
System view