•
Safe reset—Enables unidirectional TCP proxy for packets only from TCP connection initiators.
•
SYN cookie—Enables bidirectional TCP proxy for packets from both TCP clients and TCP
servers.
Choose a TCP proxy mode according to the network scenarios.
•
If packets from clients pass through the TCP proxy device, but packets from servers do not,
specify the safe reset mode.
•
If packets from clients and servers both pass through the TCP proxy device, specify either safe
reset or SYN cookie.
Examples
# Enable TCP client verification in SYN cookie mode on interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] client-verify tcp enable mode syn-cookie
Related commands
client-verify tcp protected ip
display client-verify tcp protected ip
display attack-defense flood statistics ip
Use display attack-defense flood statistics ip to display IPv4 flood attack detection and
prevention statistics.
Syntax
Centralized devices in standalone mode:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood |
rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn
vpn-instance-name ] ] [ interface interface-type interface-number | local ] [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood |
rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn
vpn-instance-name ] ] [ [ interface interface-type interface-number | local ] [ slot slot-number ] ]
[ count ]
Distributed devices in IRF mode:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood |
rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn
vpn-instance-name ] ] [ [ interface interface-type interface-number | local ] [ chassis
chassis-number slot slot-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ack-flood: Specifies ACK flood attack.
dns-flood: Specifies DNS flood attack.
989