Configuring TCP client verification

Configure TCP client verification on the interface that is connected to the external network. TCP client verification protects internal TCP servers against TCP flood attacks, including the following flood attacks:

IP addresses protected by TCP client verification can be manually added or automatically learned:

If a TCP client is verified legitimate in safe reset mode, the device adds the client's IP address to the trusted IP list. The device directly forwards TCP packets from trusted IP addresses.

TCP client verification can be used alone or together with a TCP flood attack defense policy.

To configure TCP client verification:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. (Optional.) Specify an IP address to be protected by the TCP client verification feature.

client-verify tcp protected { ip destination-ip-address | ipv6 destination-ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-number ]

By default, the TCP client verification feature does not protect any IP address.

3. Enter interface view.

interface interface-type interface-number

N/A

4. Enable TCP client verification.

  • To set the safe reset mode:client-verify tcp enable mode safe-reset

  • To set the SYN cookie mode:client-verify tcp enable [ mode syn-cookie ]

By default, TCP client verification is disabled.