tcp syn-cookie enable
Use tcp syn-cookie enable to enable SYN Cookie to protect the device from SYN flood attacks.
Use undo tcp syn-cookie enable to disable SYN Cookie.
Syntax
tcp syn-cookie enable
undo tcp syn-cookie enable
Default
SYN Cookie is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
A TCP connection is established through a three-way handshake:
The sender sends a SYN packet to the server.
The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state, and replies with a SYN ACK packet to the sender.
The sender receives the SYN ACK packet and replies with an ACK packet. Then, a TCP connection is established.
An attacker can exploit this mechanism to mount SYN flood attacks. The attacker sends a large number of SYN packets, but they do not respond to the SYN ACK packets from the server. As a result, the server establishes a large number of TCP semi-connections and cannot handle normal services.
SYN Cookie can protect the server from SYN flood attacks. When the server receives a SYN packet, it responds to the request with a SYN ACK packet without establishing a TCP semi-connection.
The server establishes a TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the sender.
Examples
# Enable SYN Cookie.
<Sysname> system-view [Sysname] tcp syn-cookie enable