beautypg.com

Configuring tcp attack protection, Overview, Enabling the syn cookie feature – H3C Technologies H3C SecBlade LB Cards User Manual

Page 273

background image

262

Configuring TCP attack protection

TCP attack protection can be configured only at the CLI.

Overview

Attackers can attack the device during the process of TCP connection establishment. To prevent such
attacks, the device provides the following features:

SYN Cookie

Protection against Naptha attacks

This chapter describes the attacks that these features can prevent, working mechanisms of these features,

and configuration procedures.

Enabling the SYN Cookie feature

As a general rule, the establishment of a TCP connection involves the following three handshakes:

1.

The request originator sends a SYN message to the target server.

2.

After receiving the SYN message, the target server establishes a TCP connection in
SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response.

3.

After receiving the SYN ACK message, the originator returns an ACK message, establishing the
TCP connection.

Attackers may mount SYN Flood attacks during TCP connection establishment. They send a large number

of SYN messages to the server to establish TCP connections, but they never make any response to SYN

ACK messages. As a result, a large number of incomplete TCP connections are established, resulting in
heavy resource consumption and making the server unable to handle services correctly.
The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP connection request, the

server directly returns a SYN ACK message, instead of establishing an incomplete TCP connection. Only

after receiving an ACK message from the client can the server establish a connection, and then enter
ESTABLISHED state. In this way, incomplete TCP connections could be avoided to protect the server

against SYN Flood attacks.
To enable the SYN Cookie feature:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable the SYN Cookie
feature.

tcp syn-cookie enable

Enabled by default.

If you enable MD5 authentication for TCP connections, the SYN Cookie configuration is ineffective. Then,

if you disable MD5 authentication for TCP connections, the SYN Cookie configuration automatically

becomes effective. For more information about MD5 authentication, see Network Management
Configuration Guide.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: