EasyManuals Logo

HPE FlexNetwork MSR Series Comware 5 Security Configuration Guide

HPE FlexNetwork MSR Series
547 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #440 background imageLoading...
Page #440 background image
427
Configuring TCP attack protection
Overview
Attackers can attack the device during the process of TCP connection establishment. To prevent
such attacks, the device provides the following features:
• SYN Cookie
• Protection against Naptha attacks
This chapter describes the attacks that these features can prevent, working mechanisms of these
features, and configuration procedures.
Enabling the SYN Cookie feature
As a general rule, the establishment of a TCP connection involves the following three handshakes:
1. The request originator sends a SYN message to the target server.
2. After receiving the SYN message, the target server establishes a TCP connection in
SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a
response.
3. After receiving the SYN ACK message, the originator returns an ACK message, establishing
the TCP connection.
Attackers might mount SYN Flood attacks during TCP connection establishment. They send a large
number of SYN messages to the server to establish TCP connections, but they never make any
response to SYN ACK messages. As a result, a large number of incomplete TCP connections are
established, resulting in heavy resource consumption and making the server unable to handle
services correctly.
The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP connection request,
the server directly returns a SYN ACK message, instead of establishing an incomplete TCP
connection. Only after receiving an ACK message from the client can the server establish a
connection, and then enter ESTABLISHED state. In this way, incomplete TCP connections could be
avoided to protect the server against SYN Flood attacks.
To enable the SYN Cookie feature:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable the SYN Cookie
feature.
tcp syn-cookie enable
Enabled by default.
If you enable MD5 authentication for TCP connections, the SYN Cookie configuration is ineffective.
Then, if you disable MD5 authentication for TCP connections, the SYN Cookie configuration
automatically becomes effective. For more information about MD5 authentication, see HPE
FlexNetwork MSR Router Series Comware 5 Layer 3
—
IP Routing Configuration Guide.
With the SYN Cookie feature enabled, only the maximum segment size (MSS), is negotiated during
TCP connection establishment, instead of the window's zoom factor and timestamp.

Table of Contents

Other manuals for HPE FlexNetwork MSR Series

Preview: Configuration Guide
Configuration Guide861 pages
Preview: Comware 7 Layer 3 - Ip Services Configuration Guides
Comware 7 Layer 3 - Ip Services Configuration Guides554 pages
Preview: Guide
Guide213 pages
Preview: Command Reference
Command Reference120 pages
Preview: Comware 5 Layer 2 - Wan Access Configuration Guide
Comware 5 Layer 2 - Wan Access Configuration Guide420 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the HPE FlexNetwork MSR Series and is the answer not in the manual?

HPE FlexNetwork MSR Series Specifications

General IconGeneral
BrandHPE
ModelFlexNetwork MSR Series
CategoryNetwork Router
LanguageEnglish

Related product manuals