TCP SYN flood attacks are old and effective. As DoS attacks, they depend on the establishment method of TCP connections.
An attacker sends a SYN packet to a switch but does not respond to the SYN-ACK packet from the switch. The switch, however, keeps waiting for an ACK packet from the attacker. As a result, a half-connection is generated. The attacker keeps sending SYN packets to set up a large number of half-connections, wasting considerable resources of the switch.
To prevent TCP SYN flood attacks, enable defense against TCP SYN flood attacks and set a rate limit for TCP SYN packets.
Enable defense against TCP SYN flood attacks. By default, this function is enabled.
<HUAWEI> system-view [HUAWEI] anti-attack tcp-syn enable [HUAWEI] anti-attack tcp-syn car cir 8000 //Limit the rate of receiving TCP SYN packets. By default, this rate is 155,000,000 bit/s.