tcpsyn-flood enable

Function

The tcpsyn-flood enable command enables defense against TCP SYN flooding attacks.

The undo tcpsyn-flood enable command disables defense against TCP SYN flooding attacks.

By default, defense against TCP SYN flooding attacks is enabled.

Format

tcpsyn-flood enable

undo tcpsyn-flood enable

Parameters

None

Views

Attack defense policy view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
device-mgr write

Usage Guidelines

Usage Scenario

A TCP SYN flooding attack is a form of Denial of Service (DOS) attack. It sends a large quantity of illegal TCP SYN packets to the server. These packets keep the server so busy that it is unable to answer other clients' requests and finally crashes because of being overburdened.

The Device performs the CAR on TCP SYN packets that match the set ACLs. This effectively suppresses malicious TCP connection requests. In addition, the aging time for TCP SYN packets is set. Currently, the default aging time of TCY SYN packets is 75 seconds. In fact, the time can be set from 2 to 600 seconds. You are advised to set the aging time to 2 to 5 seconds when the device is under attacks.

In VS mode, this command is supported only by the admin VS.

Example

# Enable TCP SYN flooding attack defense in attack defense policy 6.
<HUAWEI> system-view
[~HUAWEI] cpu-defend policy 6
[*HUAWEI-cpu-defend-policy-6] tcpsyn-flood enable
Parent Topic: Local Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >