EasyManua.ls Logo

HP 5120 SI Series

HP 5120 SI Series
385 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
289
NOTE:
W
ith the SYN Cookie feature enabled, only the maximum se
g
ment size (MSS), is ne
g
otiated durin
g
TCP
connection establishment, instead of the window's zoom factor and timestamp.
Enabling protection against Naptha attacks
Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the
six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and
SYN_RECEIVED), and SYN Flood attacks by using only the SYN_RECEIVED state.
Naptha attackers control a huge amount of hosts to establish TCP connections with the server, keep these
connections in the same state (any of the six), and request for no data so as to exhaust the memory
resource of the server. As a result, the server cannot process normal services.
Protection against Naptha attacks mitigates such attacks by accelerating the aging of TCP connections
in a state. After the feature is enabled, the device (serving as a TCP server) periodically checks the
number of TCP connections in each state. If the device detects that the number of TCP connections in a
state exceeds the maximum number, it considers that a Naptha attack occurs and accelerates the aging
of TCP connections in this state. The device will stop accelerating the aging of TCP connections when the
number of TCP connections in the state is less than 80% of the maximum number (1 at least).
Follow these steps to enable the protection against Naptha attack:
To do... Use the command... Remarks
Enter system view system-view —
Enable the protection against
Naptha attack
tcp anti-naptha enable
Required
Disabled by default.
Configure the maximum
number of TCP connections in
a state
tcp state { closing | established |
fin-wait-1 | fin-wait-2 | last-ack |
syn-received } connection-number
number
Optional
5 by default.
If the maximum number of TCP
connections in a state is 0, the aging
of TCP connections in this state will
not be accelerated.
Configure the TCP state check
interval
tcp timer check-state timer-value
Optional
30 seconds by default.
Displaying and maintaining TCP attack protection
To do… Use the command… Remarks
Display current TCP connection state
display tcp status [ | { begin | exclude |
include } regular-expression ]
Available in any view

Table of Contents

Other manuals for HP 5120 SI Series

Preview: Command Reference
Command Reference395 pages
Preview: Specification
Specification33 pages

Related product manuals