HP 6125XLG R2306-HP 6125XLG Blade Switch Layer 3 - IP Services Command Referen - Page 152
tcp syn-cookie enable, Parameters, Usage guidelines, Examples, Syntax, Default, Views
View all HP 6125XLG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 152 highlights
Parameters aging age-time: Sets the aging time for the path MTU, in the range of 10 to 30 minutes. The default aging time is 10 minutes. no-aging: Does not age out the path MTU. Usage guidelines After you enable TCP path MTU discovery, all new TCP connections detect the path MTU. The device uses the path MTU to calculate the MSS to avoid IP fragmentation. After you disable TCP path MTU discovery, the system stops all path MTU timers. The TCP connections established later do not detect the path MTU, but the TCP connections previously established still can detect the path MTU. Examples # Enable TCP path MTU discovery and set the path MTU aging time to 20 minutes. system-view [Sysname] tcp path-mtu-discovery aging 20 tcp syn-cookie enable Use tcp syn-cookie enable to enable SYN Cookie to protect the device from SYN flood attacks. Use undo tcp syn-cookie enable to disable SYN Cookie. Syntax tcp syn-cookie enable undo tcp syn-cookie enable Default SYN Cookie is disabled. Views System view Predefined user roles network-admin Usage guidelines A TCP connection is established through a three-way handshake: 1. The sender sends a SYN packet to the server. 2. The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state, and replies with a SYN ACK packet to the sender. 3. The sender receives the SYN ACK packet and replies with an ACK packet. Then, a TCP connection is established. An attacker can exploit this mechanism to mount SYN flood attacks. The attacker sends a large number of SYN packets, but they do not respond to the SYN ACK packets from the server. As a result, the server establishes a large number of TCP semi-connections and cannot handle normal services. SYN Cookie can protect the server from SYN flood attacks. When the server receives a SYN packet, it responds to the request with a SYN ACK packet without establishing a TCP semi-connection. 144