Dhcp snooping configuration examples, Basic dhcp snooping configuration example, Configuring the tcp buffer size – H3C Technologies H3C S12500 Series Switches User Manual

Page 108: Configuring tcp timers

Advertising
background image

95

2.

The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state,

and replies with a SYN ACK packet to the sender.

3.

The sender receives the SYN ACK packet and replies with an ACK packet. A TCP connection is
established.

An attacker can exploit this mechanism to mount SYN Flood attacks. The attacker sends a large number

of SYN packets, but does not respond to the SYN ACK packets from the server. As a result, the server

establishes a large number of TCP semi-connections and can no longer handle normal services.
SYN Cookie can protect the server from SYN Flood attacks. When the server receives a SYN packet, it

responds with a SYN ACK packet without establishing a TCP semi-connection. The server establishes a

TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the client.
To enable TCP SYN Cookie:

Step Command Remarks

1.

Enter system view.

system-view

N/A

2.

Enable SYN Cookie.

tcp syn-cookie enable

The default setting is disabled.

104B

Configuring the TCP buffer size

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Configure the size of TCP receive/send

buffer.

tcp window window-size

The default buffer size is 64 KB.

105B

Configuring TCP timers

You can configure the following TCP timers:

SYN wait timer—TCP starts the SYN wait timer after sending a SYN packet. If no response packet

is received within the SYN wait timer interval, TCP fails to establish the connection.

FIN wait timer—TCP starts the FIN wait timer when the state changes to FIN_WAIT_2. If no FIN
packet is received within the timer interval, TCP terminates the connection. If a FIN packet is

received, TCP changes connection state to TIME_WAIT. If a non-FIN packet is received, TCP restarts

the timer, and tears down the connection when the timer expires.

To configure TCP timers:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Configure TCP

timers.

Configure the TCP SYN wait timer:

tcp timer syn-timeout time-value

Configure the TCP FIN wait timer:

tcp timer fin-timeout time-value

By default:

The TCP SYN wait timer is 75

seconds.

The TCP FIN wait timer is 675

seconds.

Advertising
This manual is related to the following products:

H3C SR8800, H3C SR6600-X, H3C SR6600, H3C WX6000 Series Access Controllers, H3C WX5000 Series Access Controllers, H3C WX3000 Series Unified Switches, H3C LSWM1WCM10 Access Controller Module, H3C LSWM1WCM20 Access Controller Module, H3C LSQM1WCMB0 Access Controller Module, H3C LSRM1WCM2A1 Access Controller Module, H3C LSBM1WCM2A0 Access Controller Module, H3C S6800 Series Switches, H3C S3100V2 Series Switches, H3C S12500-X Series Switches, H3C S9800 Series Switches

Popular Brands
Popular manuals