Configure the IPv6 TCP Anti-Attack Function
If the IPv6 TCP server receives a large number of SYN packets, but the peer does not reply the SYN+ACK response to the server, this will lead to a large amount of memory consumption on the server, occupying the semi-connected queue of the server, and as a result, the IPv6 TCP server cannot serve the normal request. This attack can be avoided by configuring the IPv6 TCP anti-attack function.
Configuration Condition
None
Enable IPv6 TCP syncache Function
Instead of rushing to allocate TCB when receiving SYN packets, the function first replies a SYN + ACK packet and stores this semi-open connection information in a dedicated cache until the correct ACK packet is received, and then reallocates the TCB.
Table 5-21 Enable IPv6 TCP syncache function
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
configure terminal
|
-
|
|
Enable the IPv6 TCP syncache function
|
ipv6 tcp syncache
|
Mandatory
By default, the IPv6 TCP syncache function is disabled.
|
Enable IPv6 TCP syncookies Function
This function does not use any storage resources at all. It uses a special algorithm to generate Sequence Number. This algorithm takes into account the IPv6 address and port of the peer party, the IPv6 address and port fixed information of one’s own party, and some fixed information of one’s own party that the peer party cannot know, such as MSS and time. After receiving the ACK packet of the peer party, recalculate it to see whether it is the same as the Sequence Number-1 in the response packet of the peer party, so as to decide whether to allocate TCB resources.
Table 5-22 Enable the IPv6 TCP syncookies function
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
configure terminal
|
-
|
|
Enable the IPv6 TCP syncookies function
|
ipv6 tcp syncookies
|
Mandatory
By default, the IPv6 TCP syncookies function is disabled.
|
Switch
.png){kind=icon}
.png){kind=logo}
