H3C Technologies H3C SecBlade LB Cards User Manual

216

Figure 105 Data exchange process in unidirectional proxy mode

When the TCP proxy receives a SYN message sent from a client to a protected server, it sends
back a SYN ACK message that uses a wrong sequence number on behalf of the server. The client,

if legitimate, responds with an RST message. If the TCP proxy receives an RST message from the

client, it considers the client legitimate, and forwards SYN messages that the client sends to the
server during a period of time so that the client can establish a TCP connection to the server. After

the TCP connection is established, the TCP proxy forwards the subsequent packets of the

connection without any processing.
Unidirectional proxy mode can satisfy the requirements of most environments. Generally, servers
do not initiate attacks to clients, and packets from servers to clients do not need to be inspected by

the TCP proxy. In this case, you can configure a TCP proxy to inspect only packets that clients send
to servers. To filter packets destined to clients, you can deploy a TCP proxy as required.
The unidirectional proxy mode requires that the clients use the standard TCP protocol suite.
Legitimate clients that use non-standard TCP protocol suites may be considered illegitimate by the

TCP proxy. In addition, when the TCP proxy function works, a client takes more time to establish

a TCP connection to a server because the client must send an RST message to the server to reinitiate
a TCP connection request.

•

Bidirectional proxy

Figure 106 Data exchange process in bidirectional proxy mode

TCP client

TCP proxy

TCP server

1) SYN

2) SYN ACK (invalid sequence

number)

3) RST

4) SYN (retransmitting)

5) SYN (forwarding)

6) SYN ACK

7) ACK

8) ACK (forwarding)