Interface-based TCP client verification configuration example

Network requirements

As shown in Figure 193, configure TCP client verification in SYN cookie mode on the router to protect the internal servers against SYN flood attacks.

Figure 188: Network requirements

Configuration procedure

# Configure IP addresses for the interfaces on the router. (Details not shown.)

# Create attack defense policy a1.

<Router> system-view
[Router] attack-defense policy a1

# Enable global SYN flood attack detection.

[Router-attack-defense-policy-a1] syn-flood detect non-specific

# Set the global threshold for triggering SYN flood attack prevention to 10000.

[Router-attack-defense-policy-a1] syn-flood threshold 10000

# Specify logging and client-verify as the global actions against SYN flood attacks.

[Router-attack-defense-policy-a1] syn-flood action logging client-verify
[Router-attack-defense-policy-a1] quit

# Apply the attack defense policy a1 to interface GigabitEthernet 1/0/1.

[Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] attack-defense apply policy a1
[Router-GigabitEthernet1/0/1] quit

# Enable TCP client verification in SYN cookie mode on interface GigabitEthernet 1/0/1.

[Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] client-verify tcp enable mode syn-cookie
[Router-GigabitEthernet1/0/1] quit

Verifying the configuration

# Launch a SYN flood attack. (Details not shown.)

# Verify that the victim's IP address is added to the protected IP list for TCP client verification.

[Router] display client-verify tcp protected ip
IP address           VPN instance     Port  Type    Requested  Trusted
192.168.1.10         --               any   Dynamic 20         12