Configuring tcp attributes, Enabling the syn cookie feature – H3C Technologies H3C S5120 Series Switches User Manual

1-2

Enabling Forwarding of Directed Broadcasts to a Directly Connected Network

If a device is enabled to receive directed broadcasts, the device will determine whether to forward them

according to the configuration on the outgoing interface.

Follow these steps to enable the device to forward directed broadcasts:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter interface view

interface interface-type
interface-number

—

Enable the interface to forward
directed broadcasts

ip forward-broadcast [ acl
acl-number ]

Required

By default, the device is
disabled from forwarding
directed broadcasts.

z

If an ACL is referenced in the ip forward-broadcast [ acl-number ] command, only packets

permitted by the ACL can be forwarded.

z

If you repeatedly execute the ip forward-broadcast acl [ acl-number ] command on an interface,

the last executed command takes effect only. If the command executed last time does not include

the acl acl-number, the ACL configured previously will be removed.

Configuring TCP Attributes

Enabling the SYN Cookie Feature

As a general rule, the establishment of a TCP connection involves the following three handshakes:

1) The request originator sends a SYN message to the target server.

2) After receiving the SYN message, the target server establishes a TCP connection in the

SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response.

3) After receiving the SYN ACK message, the originator returns an ACK message. Thus, the TCP

connection is established.

Attackers may mount SYN Flood attacks during TCP connection establishment. They send a large

number of SYN messages to the server to establish TCP connections, but they never make any

response to SYN ACK messages. As a result, a large amount of incomplete TCP connections are

established, resulting in heavy resource consumption and making the server unable to handle services

normally.

The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP connection request, the

server directly returns a SYN ACK message, instead of establishing an incomplete TCP connection.

Only after receiving an ACK message from the client can the server establish a connection, and then

enter the ESTABLISHED state. In this way, large amounts of incomplete TCP connections could be

avoided to protect the server against SYN Flood attacks.