R0106-HP MSR Router Series Security Configuration Guide(V7)
451
Figure 138 TCP proxy in safe reset mode
TCP proxy in SYN cookie mode
As shown in Figure 139, SYN cookie mode requires two TCP connections to be established using the
following steps:
1. After receiving a SYN packet from a client to a protected server, the TCP proxy sends back a SYN
ACK packet with the window size 0. If the client responds with an ACK packet, the client is verified
as legitimate. The proxy device establishes a TCP connection with the client.
2. The TCP proxy device establishes a connection with the server through a new three-way
handshake that has a different window size. This connection uses a different sequence number
from the connection between the client and proxy device.
In SYN cookie mode, the TCP proxy is the server proxy that communicates with clients and the client
proxy that communicates with server. Choose this mode when the following requirements are met:
• The TCP proxy device is deployed on the key path that passes through the ingress and egress of the
protected server.
• All packets exchanged between clients and server pass through the TCP proxy device.
Figure 139 TCP proxy in SYN cookie mode
TCP proxy TCP server
(1) SYN
(2) SYN ACK (invalid sequence
number)
(3) RST
(4) SYN (retransmitting)
(5) SYN (forwarding)
(6) SYN ACK
(7) ACK
(8) ACK (forwarding)
TCP client