Cisco Cisco Packet Data Gateway (PDG) Fehlerbehebungsanleitung
ACS Rulebase Configuration Mode Commands
▀ firewall tcp-syn-flood-intercept
▄ Cisco ASR 5000 Series Command Line Interface Reference
OL-22947-02
firewall tcp-syn-flood-intercept
This command enables and configures the TCP intercept parameters to prevent TCP SYN flooding attacks by
intercepting and validating TCP connection requests for DoS protection mechanism configured with the
intercepting and validating TCP connection requests for DoS protection mechanism configured with the
command.
Important:
In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS
8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later, for
Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy
Configuration Mode.
Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy
Configuration Mode.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
Sets the default values of TCP intercept parameters for SYN Flood DoS protection.
Specifies the TCP SYN flood intercept mode:
: Disables TCP SYN flood intercept feature.
: Configures TCP SYN flood intercept feature in watch mode. The firewall passively watches to
see if TCP connections become established within a configurable interval. If connections are not
established within the timeout period, the firewall clears the half-open connections by sending RST
to TCP client and server. The default watch-timeout for connection establishment is 30 seconds.
established within the timeout period, the firewall clears the half-open connections by sending RST
to TCP client and server. The default watch-timeout for connection establishment is 30 seconds.
: Configures TCP SYN flood Intercept or Watch feature for aggressive behavior. Each
new connection request causes the oldest incomplete connection to be deleted. When operating in
watch mode, the watch timeout is reduced by half. If the watch-timeout is 30 seconds, under
aggressive conditions it becomes 15 seconds. When operating in intercept mode, the retransmit
timeout is reduced by half (i.e. if the timeout is 60 seconds, it is reduced to 30 seconds). Thus the
amount of time waiting for connections to be established is reduced by half (i.e. it is reduced to 150
seconds from 300 seconds under aggressive conditions).
watch mode, the watch timeout is reduced by half. If the watch-timeout is 30 seconds, under
aggressive conditions it becomes 15 seconds. When operating in intercept mode, the retransmit
timeout is reduced by half (i.e. if the timeout is 60 seconds, it is reduced to 30 seconds). Thus the
amount of time waiting for connections to be established is reduced by half (i.e. it is reduced to 150
seconds from 300 seconds under aggressive conditions).
Default:
Specifies the TCP intercept watch timeout, in seconds.
must be an integer from 5 through 30.
Default: 30