#
Example: Configuring transport layer
attack protection
Network configuration
As shown in
protection on the device to protect against SYN flood attacks. With this feature enabled, the device
responds to a SYN packet with a SYN ACK packet without establishing a TCP semi-connection. The
device establishes a TCP connection only when it receives an ACK packet from the sender.
Figure 4 Network diagram
Software versions used
This configuration example was created and verified on Release 3606.
By default, interfaces on the device are disabled (in ADM or Administratively Down state). To have
an interface operate, you must use the
Procedures
# Specify IP addresses for interfaces. (Details not shown.)
# Enable SYN Cookie.
<Device> system-view
[Device] tcp syn-cookie enable
Verifying the configuration
# Verify that the device does not have any TCP semi-connections. The state "SYN_RECEIVED"
represents semi-connections.
[Device] display tcp
*: TCP connection with authentication
Local Addr:port
0.0.0.0:21
d
0.0.0.0:23
f
192.168.2.88:23
3
192.168.2.88:23
2
Figure
4, the device is the gateway for the internal network. Configure SYN Cookie
Switch
Foreign Addr:port
0.0.0.0:0
0.0.0.0:0
192.168.2.79:2197
192.168.2.89:2710
Device
command to enable that interface.
undo shutdown
State
LISTEN
LISTEN
ESTABLISHED 1
ESTABLISHED 1
10
Network
Slot
PCB
1
0xffffffffffffff9
1
0xffffffffffffff9
0xffffffffffffffa
0xffffffffffffffa