ipv6-tcpsyn-flood enable

Function

The ipv6-tcpsyn-flood enable command enables defense against IPv6 TCP SYN flooding attacks.

The undo ipv6-tcpsyn-flood enable command disables defense against IPv6 TCP SYN flooding attacks.

By default, defense against IPv6 TCP SYN flooding attacks is enabled.

Format

ipv6-tcpsyn-flood enable

undo ipv6-tcpsyn-flood enable

Parameters

None

Views

Attack defense policy view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
device-mgr write

Usage Guidelines

Usage Scenario

A IPv6 TCP SYN flooding attack is a form of Denial of Service (DOS) attack. It sends a large quantity of illegal IPv6 TCP SYN packets to the server. These packets keep the server so busy that it is unable to answer other clients' requests and finally crashes because of being overburdened.

The Device performs the CAR on IPv6 TCP SYN packets that match the set ACLs. This effectively suppresses malicious TCP connection requests. In addition, the aging time for IPv6 TCP SYN packets is set. Currently, the default aging time of IPv6 TCY SYN packets is 75 seconds. In fact, the time can be set from 2 to 600 seconds. You are advised to set the aging time to 2 to 5 seconds when the device is under attacks.

In VS mode, this command is supported only by the admin VS.

Example

# Enable IPv6 TCP SYN flooding attack defense in attack defense policy 6.
<HUAWEI> system-view
[~HUAWEI] cpu-defend policy 6
[*HUAWEI-cpu-defend-policy-6] ipv6-tcpsyn-flood enable
Parent Topic: Local Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >