166
Predefined user roles
network-admin
Usage guidelines
A TCP connection is established through a three-way handshake:
1. The sender sends a SYN packet to the server.
2. The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED
state, and replies with a SYN ACK packet to the sender.
3. The sender receives the SYN ACK packet and replies with an ACK packet. Then, a TCP
connection is established.
An attacker can exploit this mechanism to mount SYN flood attacks. The attacker sends a large
number of SYN packets, but they do not respond to the SYN ACK packets from the server. As a
result, the server establishes a large number of TCP semi-connections and cannot handle normal
services.
SYN Cookie can protect the server from SYN flood attacks. When the server receives a SYN packet,
it responds to the request with a SYN ACK packet without establishing a TCP semi-connection.
The server establishes a TCP connection and enters ESTABLISHED state only when it receives an
ACK packet from the sender.
Examples
# Enable SYN Cookie.
<Sysname> system-view
[Sysname] tcp syn-cookie enable
tcp timer fin-timeout
Use tcp timer fin-timeout to configure the TCP FIN wait timer.
Use undo tcp timer fin-timeout to restore the default.
Syntax
tcp timer fin-timeout time-value
undo tcp timer fin-timeout
Default
The TCP FIN wait timer is 675 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
time-value: Specifies the TCP FIN wait timer in the range of 76 to 3600 seconds.
Usage guidelines
TCP starts the FIN wait timer when the state changes to FIN_WAIT_2. If no FIN packet is received
within the timer interval, the TCP connection is terminated.
If a FIN packet is received, TCP changes connection state to TIME_WAIT. If a non-FIN packet is
received, TCP restarts the timer and tears down the connection when the timer expires.
To Next Page
Loading...
