[x]

Optimizing IP performance > Enabling TCP SYN Cookie

 

 Next

Enabling TCP SYN Cookie

A TCP connection is established through a three-way handshake:

  1. The sender sends a SYN packet to the server.

  2. The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state, and replies with a SYN ACK packet to the sender.

  3. The sender receives the SYN ACK packet and replies with an ACK packet. A TCP connection is established.

An attacker can exploit this mechanism to mount SYN Flood attacks. The attacker sends a large number of SYN packets, but does not respond to the SYN ACK packets from the server. As a result, the server establishes a large number of TCP semi-connections and can no longer handle normal services.

SYN Cookie can protect the server from SYN Flood attacks. When the server receives a SYN packet, it responds with a SYN ACK packet without establishing a TCP semi-connection. The server establishes a TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the client.

To enable TCP SYN Cookie:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable TCP SYN Cookie.

tcp syn-cookie enable

The default setting is disabled.

prev

 

up

 next

Configuring TCP path MTU discovery 

home

 Setting the TCP buffer size

© Copyright 2017 Hewlett Packard Enterprise Development LP