Enabling Protection Against Naptha Attacks - H3C S5120-SI Series Configuration Manual
Hide thumbs
Also See for S5120-SI Series:
- Command reference manual (910 pages) ,
- Configuration manual (745 pages) ,
- Operation manual (697 pages)
Table of Contents
Advertisement
To enable the SYN Cookie feature:
To do...
1.
Enter system view
2.
Enable the SYN Cookie feature
When you enable the SYN Cookie feature, it will not function if MD5 authentication is enabled. However, if you
•
then disable MD5 authentication, the SYN Cookie feature will be enabled automatically.
With the SYN Cookie feature enabled, only the MSS, instead of the window's zoom factor and timestamp, is
•
negotiated during TCP connection establishment.
Enabling protection against Naptha attacks
Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the
six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and
SYN_RECEIVED), and SYN Flood attacks by using only the SYN_RECEIVED state.
Naptha attackers control a huge amount of hosts to establish TCP connections with the server. They keep
these connections in the same state (any of the six), and request for no data, so as to exhaust the memory
resource of the server. As a result, the server cannot process normal services.
Protection against Naptha attacks reduces the risk of such attacks by accelerating the aging of TCP
connections in a state. After the feature is enabled, the device periodically checks the number of TCP
connections in each state. If it detects that the number of TCP connections in a state exceeds the maximum
number, it accelerates the aging of TCP connections in this state.
Follow these steps to enable the protection against Naptha attack:
To do...
1.
Enter system view
2.
Enable the protection
against Naptha attack
3.
Configure the maximum
of TCP connections in a
state
4.
Configure the TCP state
check interval
Use the command...
system-view
tcp syn-cookie enable
Use the command...
system-view
tcp anti-naptha enable
tcp state { closing |
established | fin-wait-1 | fin-
wait-2 | last-ack | syn-
received } connection-number
number
tcp timer check-state timer-value
60
Remarks
—
Required
Disabled by default.
Remarks
—
Required
Disabled by default.
Optional
5 by default.
If the maximum number of TCP
connections in a state is 0, the aging of
TCP connections in this state will not be
accelerated.
Optional
30 seconds by default.
Advertisement
Table of Contents
