3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide
Configuring Attack Prevention 151
By default, the SYN Flood attack prevention function is disabled. The max-rate
keyword indicates the maximum connection rate of SYN packets, in the range of 1
to 1,000,000, and the default value is 1000. The TCP proxy can start automatically
when the protected host is attacked by SYN Flood and close automatically when
the host is safe.
n
■ When configuring SYN Flood attack prevention, the IP-based priority is higher
than the zone-based priority. If the function of SYN Flood attack prevention is
enabled both specific to a particular IP address and to all the IP addresses in the
zone to which the IP address belongs, the IP-based detection parameters are
preferred. If the IP-based configuration is disabled, the zone-based parameters
will be applied.
■ The SYN Flood attack prevention function can protect up to 1,000 IP addresses
at the same time.
■ To prevent SYN Flood attacks, TCP proxy must be enabled.
c
CAUTION: Following three points are necessary to enable the SYN Flood attack
prevention function.
■ Enable the inbound IP statistics function in the protected zone (or the zone
where the protected IP locates);
■ Enable the SYN Flood attack prevention function;
■ Configure the specific SYN Flood attack prevention function.
Enabling/disabling TCP proxy
TCP proxy is used to protect the target host or all hosts in the target security zone
from SYN Flood attacks. Before establishing a TCP connection to the protected
host, an outside host must first run the three-way handshake with the firewall. If
the three-way handshake fails, then the outside host cannot establish the TCP
connection. This can effectively block malicious attacks to the internal hosts.
Tab le 159 Configuring the SYN Flood attack prevention function
Operation Command
Enable the SYN Flood attack prevention
function for IP addresses
firewall defend syn-flood ip ip-address [
max-rate rate-number ] [ tcp-proxy ]
Enable the SYN Flood attack prevention
function for all the IP addresses in a zone
firewall defend syn-flood zone zone-name
[ max-rate rate-number ] [ tcp-proxy ]
Disable the SYN Flood attack prevention
function for some IP addresses
undo firewall defend syn-flood ip
ip-address [ max-rate ] [ tcp-proxy ]
Disable the SYN Flood attack prevention
function for all IP addresses
undo firewall defend syn-flood ip
Disable the SYN Flood attack prevention
function for all the IP addresses in a zone
undo firewall defend syn-flood zone
zone-name [ max-rate ] [ tcp-proxy ]
Disable the SYN Flood attack prevention
function for the IP addresses in all zones
undo firewall defend syn-flood zone
Disable all the SYN Flood attack prevention
functions
undo firewall defend syn-flood