132
Enabling SYN Cookie
About SYN Cookie
A TCP connection is established through a three-way handshake. An attacker can exploit this
mechanism to mount SYN Flood attacks. The attacker sends a large number of SYN packets, but
does not respond to the SYN ACK packets from the server. As a result, the server establishes a large
number of TCP semi-connections and can no longer handle normal services.
SYN Cookie can protect the server from SYN Flood attacks. When the server receives a SYN packet,
it responds with a SYN ACK packet without establishing a TCP semi-connection. The server
establishes a TCP connection and enters ESTABLISHED state only when it receives an ACK packet
from the client.
Procedure
1. Enter system view.
system-view
2. Enable SYN Cookie.
tcp syn-cookie enable
By default, SYN Cookie is disabled.
Setting the TCP buffer size
1. Enter system view.
system-view
2. Set the size of TCP receive/send buffer.
tcp window window-size
The default buffer size is 63 KB.
Setting TCP timers
About TCP timers
You can set the following TCP timers:
• SYN wait timer—TCP starts the SYN wait timer after sending a SYN packet. Within the SYN
wait timer if no response is received or the upper limit on TCP connection tries is reached, TCP
fails to establish the connection.
• FIN wait timer—TCP starts the FIN wait timer when TCP changes the connection state to
FIN_WAIT_2. If no FIN packet is received within the timer interval, TCP terminates the
connection. If a FIN packet is received, TCP changes the connection state to TIME_WAIT. If a
non-FIN packet is received, TCP restarts the timer, and tears down the connection when the
timer expires.
Procedure
1. Enter system view.
system-view
2. Set the TCP SYN wait timer.
3.
tcp timer syn-timeout time-value
{ By default, the TCP SYN wait timer is 75 seconds.
4. Set the TCP FIN wait timer.
To Next Page
Loading...
