Configuring TCP client verification
Configure TCP client verification on the interface that is connected to the external network. TCP client verification protects internal TCP servers against TCP flood attacks, including the following flood attacks:
SYN.
SYN-ACK.
RST.
FIN.
ACK.
IP addresses protected by TCP client verification can be manually added or automatically learned:
You can manually add protected IP addresses. The device performs client verification when it receives the first SYN packet destined for a protected IP address.
The TCP client verification can automatically add victims' IP addresses to the protected IP list when collaborating with flood attack detection. Make sure client-verify is specified as the flood attack prevention action. For more information, see "Configuring a flood attack defense policy."
If a TCP client is verified legitimate in safe reset mode, the device adds the client's IP address to the trusted IP list. The device directly forwards TCP packets from trusted IP addresses.
TCP client verification can be used alone or together with a TCP flood attack defense policy.
To configure TCP client verification:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. (Optional.) Specify an IP address to be protected by the TCP client verification feature. | client-verify tcp protected { ip destination-ip-address | ipv6 destination-ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-number ] | By default, the TCP client verification feature does not protect any IP address. |
3. Enter interface view. | interface interface-type interface-number | N/A |
4. Enable TCP client verification. |
| By default, TCP client verification is disabled. |