beautypg.com

Enabling protection against naptha attacks – H3C Technologies H3C S5120 Series Switches User Manual

Page 217

background image

1-3

Follow these steps to enable the SYN Cookie feature:

To do...

Use the command...

Remarks

Enter system view

system-view

Enable the SYN Cookie feature

tcp syn-cookie enable

Required

Disabled by default.

z

If MD5 authentication is enabled, the SYN Cookie feature will not function after enabled. Then, if

you disable MD5 authentication, the SYN Cookie feature will be enabled automatically.

z

With the SYN Cookie feature enabled, only the MSS, instead of the window’s zoom factor and

timestamp, is negotiated during TCP connection establishment.

Enabling Protection Against Naptha Attacks

Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the

six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and

SYN_RECEIVED), and SYN Flood attacks by using only the SYN_RECEIVED state.

Naptha attackers control a huge amount of hosts to establish TCP connections with the server, keep

these connections in the same state (any of the six), and request for no data so as to exhaust the

memory resource of the server. As a result, the server cannot process normal services.

Protection against Naptha attacks reduces the risk of such attacks by accelerating the aging of TCP

connections in a state. After the feature is enabled, the device periodically checks the number of TCP

connections in each state. If it detects that the number of TCP connections in a state exceeds the

maximum number, it will accelerate the aging of TCP connections in this state.

Follow these steps to enable the protection against Naptha attack:

To do...

Use the command...

Remarks

Enter system view

system-view

Enable the protection
against Naptha attack

tcp anti-naptha enable

Required

Disabled by default.

Configure the maximum of
TCP connections in a
state

tcp state { closing |
established | fin-wait-1 |
fin-wait-2 | last-ack |
syn-received }
connection-number number

Optional

5 by default.

If the maximum number of TCP
connections in a state is 0, the
aging of TCP connections in this
state will not be accelerated.

Configure the TCP state
check interval

tcp timer check-state
timer-value

Optional

30 seconds by default.

See also other documents in the category H3C Technologies Routers: