Configure TCP Protocol Anti-attack Function
If the TCP server receives lots of SYN packets, but the peer does not respond to the SYN+ACK response of the server, lots of server memory is consumed and the half-connection queue of the server is occupied. As a result, the TCP server cannot provide the normal request service. As for the attack, you can configure the TCP anti-attack function.
Configuration Condition
None
Enable TCP syncache Function
When receiving the SYN packet, do not distribute TCB at once, but first return one SYN ACK packet, and save the half-connection information in the private HASH table (Cache) until receiving the correct response ACK packet, and then distribute TCB.
Table 2-25 Enable the TCP syncache function
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
configure terminal
|
-
|
|
Configure the TCP syncache function
|
ip tcp syncache
|
Mandatory
By default, the function is disabled.
|
Enable TCP syncookies Function
The function does not use any stored resources, but adopts one special algorithm to generate Sequence Number. The algorithm considers the peer IP, port, the own IP, and port fixed information, as well as other fixed information, such as MSS and time. After receiving the ACK packet of the peer, re-calculate and view whether it is the same as Sequence Number-1 in the response packet of the peer, so as to decide whether to distribute the TCB resources.
Table 2-26 Enable the TCP syncookies function
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
configure terminal
|
-
|
|
Configure the TCP syncookies function
|
ip tcp syncookies
|
Mandatory
By default, the function is disabled.
|
Switch
.png){kind=icon}
.png){kind=logo}
