Security CLI Commands
2/1553-ZAT 759 94 Uen B – December 2005
585
19.40
security set IDS MaxTCPopenhandshake
19.40.1 Syntax
security set IDS MaxTCPopenhandshake <max>
19.40.2 Description
This command sets the maximum number of unfinished TCP handshaking
sessions per second that are allowed before a SYN Flood is detected. SYN
Flood is a DOS (Denial of Service) attack. When establishing normal TCP
connections, three packets are exchanged;
3
A SYN (synchronize) packet is sent from the host to the network server.
4
A SYN/ACK packet is sent from the network server to the host.
5
An ACK (acknowledge) packet is sent from the host to the network server.
If the host sends unreachable source addresses in the SYN packet, the server
sends the SYN/ACK packets to the unreachable addresses and keeps
resending them. This creates a backlog queue of unacknowledged SYN/ACK
packets. Once the queue is full, the system will ignore all incoming SYN
requests and no legitimate TCP connections can be established.
Once the maximum number of unfinished TCP handshaking sessions is
reached, an attempted DOS attack is detected. The suspected attacker is
blocked for the time limit specified in the
security set IDS
DOSattackblock
command.
Note:
This CLI command is
case-sensitive
. You must type the command
attributes exactly as they appear in the syntax section of this page. If
you do not use the same case-sensitive syntax, the command fails
and the CLI displays a syntax error message.
19.40.3 Options
The following table gives the range of values for each option which can be
specified with this command and a default value (if applicable).