570
Parameters
mode: Specifies a working mode for the TCP client verification function. If you do not specify this keyword,
the SYN cookie mode is used.
syn-cookie: Specifies the SYN cookie mode. In this mode, bidirectional TCP proxy is enabled.
safe-reset: Specifies the safe reset mode. In this mode, unidirectional TCP proxy is enabled.
Usage guidelines
Enable TCP client verification on the interface that connects to the external network to check incoming
packets. This function protects internal TCP servers against TCP flood attacks, including SYN flood attacks,
SYN-ACK flood attacks, RST flood attacks, FIN flood attacks, and ACK flood attacks.
TCP client verification supports the following modes:
• Safe reset—Enables unidirectional TCP proxy for packets only from TCP connection initiators.
• SYN cookie—Enables bidirectional TCP proxy for packets from both TCP clients and TCP servers.
Choose a TCP proxy mode according to the network scenarios.
• If packets from clients pass through the TCP proxy device, but packets from servers do not, specify
the safe reset mode.
• If packets from clients and servers both pass through the TCP proxy device, specify either safe reset
or SYN cookie.
To configure the TCP client verification to collaborate with DNS flood attack prevention, specify
client-verify as the TCP flood attack prevention action. In collaboration, upon detecting a TCP flood
attack, the device adds the victim IP addresses to the protected IP list and verifies the suspected sources.
You can use the display client-verify tcp protected ip command to display the protected IP list for TCP
client verification.
Examples
# Enable TCP client verification in SYN cookie mode on interface GigabitEthernet 2/1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/1/1
[Sysname-GigabitEthernet2/1/1] client-verify tcp enable mode syn-cookie
Related commands
• client-verify tcp protected ip
• display client-verify tcp protected ip
display attack-defense flood statistics ip
Use display attack-defense flood statistics ip to display flood attack detection and prevention statistics for
a protected IPv4 address.
Syntax
MSR1000/MSR2000/MSR3000:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood
| syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ interface
interface-type interface-number | local ] [ count ]
MSR4000:
To Next Page
Loading...
Need help?
General
