Tcp Syn-Cookie Enable - HP 6125XLG Command Reference Manual

Parameters
aging age-time: Sets the aging time for the path MTU, in the range of 10 to 30 minutes. The default
aging time is 10 minutes.
no-aging: Does not age out the path MTU.
Usage guidelines
After you enable TCP path MTU discovery, all new TCP connections detect the path MTU. The device uses
the path MTU to calculate the MSS to avoid IP fragmentation.
After you disable TCP path MTU discovery, the system stops all path MTU timers. The TCP connections
established later do not detect the path MTU, but the TCP connections previously established still can
detect the path MTU.
Examples
# Enable TCP path MTU discovery and set the path MTU aging time to 20 minutes.
<Sysname> system-view
[Sysname] tcp path-mtu-discovery aging 20

tcp syn-cookie enable

Use tcp syn-cookie enable to enable SYN Cookie to protect the device from SYN flood attacks.
Use undo tcp syn-cookie enable to disable SYN Cookie.
Syntax
tcp syn-cookie enable
undo tcp syn-cookie enable
Default
SYN Cookie is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
A TCP connection is established through a three-way handshake:
1. The sender sends a SYN packet to the server.
2. The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state,
and replies with a SYN ACK packet to the sender.
3. The sender receives the SYN ACK packet and replies with an ACK packet. Then, a TCP connection
is established.
An attacker can exploit this mechanism to mount SYN flood attacks. The attacker sends a large number
of SYN packets, but they do not respond to the SYN ACK packets from the server. As a result, the server
establishes a large number of TCP semi-connections and cannot handle normal services.
SYN Cookie can protect the server from SYN flood attacks. When the server receives a SYN packet, it
responds to the request with a SYN ACK packet without establishing a TCP semi-connection.
144