Configuring tcp proxy, Overview, Syn flood attack – H3C Technologies H3C SecPath F1000-E User Manual

31

Configuring TCP proxy

The TCP proxy configuration is available only in the Web interface.

Overview

SYN flood attack

As a general rule, the establishment of a TCP connection is a three-way handshake:

1.

The request originator sends a SYN message to the target server.

2.

After receiving the SYN message, the target server establishes a TCP connection in the
SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response.

3.

After receiving the SYN ACK message, the originator returns an ACK message. The TCP
connection is established.

Attackers may exploit the TCP connection establishment to mount SYN flood attacks. Attackers send a
large number of SYN messages to the server to establish TCP connections, but they never make any

response to SYN ACK messages. As a result, a large amount of incomplete TCP connections are

established, making the server unable to handle services normally.

TCP proxy

The TCP proxy feature can protect the server from SYN flood attacks. The TCP client sets up a TCP

connection with the TCP server through a TCP proxy. The TCP proxy intercepts SYN requests from the TCP

clients and verifies whether the requests are SYN flood attack packets. If so, the TCP proxy drops the
requests, protecting the TCP server against SYN flood attacks.
TCP proxy can work in two modes:

•

Unidirectional proxy—Only processes packets from the TCP client.

•

Bidirectional proxy—Processes packets from both the TCP client and TCP server.

You can choose a proper mode according to your network scenario. For example, if packets from TCP

clients to a server go through the TCP proxy but packets from the server to clients do not, as shown

in

Figure 35

, configure unidirectional proxy. If all packets between TCP clients and a server go through

the TCP proxy, as shown in

Figure 36

, you can configure unidirectional proxy or bidirectional proxy as

desired.