192
After you disable TCP path MTU discovery, the system stops all path MTU timers. The TCP
connections established later do not detect the path MTU, but the TCP connections previously
established still can detect the path MTU.
Examples
# Enable TCP path MTU discovery and set the path MTU aging time to 20 minutes.
<Sysname> system-view
[Sysname] tcp path-mtu-discovery aging 20
tcp syn-cookie enable
Use tcp syn-cookie enable to enable SYN Cookie to protect the device from SYN flood attacks.
Use undo tcp syn-cookie enable to disable SYN Cookie.
Syntax
tcp syn-cookie enable
undo tcp syn-cookie enable
Default
SYN Cookie is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
A TCP connection is established through a three-way handshake:
1. The sender sends a SYN packet to the server.
2. The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED
state, and replies with a SYN ACK packet to the sender.
3. The sender receives the SYN ACK packet and replies with an ACK packet. Then, a TCP
connection is established.
An attacker can exploit this mechanism to mount SYN flood attacks. The attacker sends a large
number of SYN packets, but they do not respond to the SYN ACK packets from the server. As a
result, the server establishes a large number of TCP semi-connections and cannot handle normal
services.
SYN Cookie can protect the server from SYN flood attacks. When the server receives a SYN packet,
it responds to the request with a SYN ACK packet without establishing a TCP semi-connection.
The server establishes a TCP connection and enters ESTABLISHED state only when it receives an
ACK packet from the sender.
Examples
# Enable SYN Cookie.
<Sysname> system-view
[Sysname] tcp syn-cookie enable
tcp timer fin-timeout
Use tcp timer fin-timeout to set the TCP FIN wait timer.
To Next Page
Loading...
Need help?
General