When the TCP source device receives an ICMP error message, it reduces the path MTU and starts
•
an age timer for the path MTU.
After the age timer expires, the source device uses a larger MSS in the MTU table as described in
•
RFC 1 191.
If no ICMP error message is received within 2 minutes, the source device increases the MSS again
•
until the MSS is as large as the MSS negotiated during TCP three-way handshake.
To enable TCP path MTU discovery:
Step
1.
Enter system view.
2.
Enable TCP path MTU
discovery.
Enabling TCP SYN Cookie
A TCP connection is established through a three-way handshake:
1.
The sender sends a SYN packet to the server.
2.
The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state,
and replies with a SYN ACK packet to the sender.
3.
The sender receives the SYN ACK packet and replies with an ACK packet. A TCP connection is
established.
An attacker can exploit this mechanism to mount SYN Flood attacks. The attacker sends a large number
of SYN packets, but does not respond to the SYN ACK packets from the server. As a result, the server
establishes a large number of TCP semi-connections and can no longer handle normal services.
SYN Cookie can protect the server from SYN Flood attacks. When the server receives a SYN packet, it
responds with a SYN ACK packet without establishing a TCP semi-connection. The server establishes a
TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the client.
To enable TCP SYN Cookie:
Step
1.
Enter system view.
2.
Enable SYN Cookie.
Configuring the TCP buffer size
Step
1.
Enter system view.
2.
Configure the size of TCP receive/send
buffer.
Command
system-view
tcp path-mtu-discovery [ aging age-time |
no-aging ]
Command
system-view
tcp syn-cookie enable
Command
system-view
tcp window window-size
110
Remarks
N/A
The default setting is
disabled.
Remarks
N/A
The default setting is disabled.
Remarks
N/A
The default buffer size is 64 KB.