Enabling the SYN Cookie feature
TCP establishes a connection in the following steps:
The client sends a SYN message to the server.
After receiving the SYN message, the server establishes a TCP connection in SYN_RECEIVED state, returns a SYN ACK message, and waits for a response.
After receiving the SYN ACK message, the client returns an ACK message to establish the TCP connection.
Attackers might mount SYN Flood attacks during TCP connection establishment. They send a large number of SYN messages to the server to establish TCP connections, but they never make any response to SYN ACK messages. As a result, a large number of incomplete TCP connections are established, resulting in heavy resource consumption and making the server unable to handle services normally.
The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP connection request, the server directly returns a SYN ACK message instead of establishing an incomplete TCP connection. The server can establish a connection only after receiving an ACK message from the client, and then it enters the ESTABLISHED state. In this way, incomplete TCP connections can be avoided to protect the server against SYN Flood attacks.
To enable the SYN Cookie feature:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable the SYN Cookie feature. | tcp syn-cookie enable | Enabled by default. |
If you enable MD5 authentication for TCP connections, the SYN Cookie configuration is ineffective. Then, if you disable MD5 authentication for TCP connections, the SYN Cookie configuration automatically becomes effective. For more information about MD5 authentication, see Layer 3—IP Routing Configuration Guide.
When the SYN Cookie feature is enabled, only the MSS is negotiated during TCP connection establishment, without the window's zoom factor and timestamp.