Manualshelf

R0106-HP MSR Router Series Security Command Reference(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router
581582583584585586587588589590
569
TCP client verification supports the following modes:
Safe reset—Enables unidirectional TCP proxy for packets only from TCP connection initiators.
SYN cookie—Enables bidirectional TCP proxy for packets from both TCP clients and TCP servers.
Choose a TCP proxy mode according to the network scenarios.
If packets from clients pass through the TCP proxy device, but packets from servers do not, specify
the safe reset mode.
If packets from clients and servers both pass through the TCP proxy device, specify either safe reset
or SYN cookie.
To configure the TCP client verification to collaborate with DNS flood attack prevention, specify
client-verify as the TCP flood attack prevention action. In collaboration, upon detecting a TCP flood
attack, the device adds the victim IP addresses to the protected IP list and verifies the suspected sources.
You can use the display client-verify tcp protected ip command to display the protected IP list for TCP
client verification.
Examples
# Enable TCP client verification in SYN cookie mode on interface GigabitEthernet 2/1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/1/1
[Sysname-GigabitEthernet2/1/1] client-verify tcp enable mode syn-cookie
Related commands
client-verify tcp protected ip
display client-verify tcp protected ip
display attack-defense flood statistics ip
Use display attack-defense flood statistics ip to display flood attack detection and prevention statistics for
a protected IPv4 address.
Syntax
MSR2000/MSR3000:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood
| syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ interface
interface-type interface-number | local ] [ count ]
MSR4000:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood
| syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ interface
interface-type interface-number | local ] [ slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ack-flood: Specifies ACK flood attack.