Cisco Cisco ASR 5700
ACS Rulebase Configuration Mode Commands
firewall tcp-syn-flood-intercept ▀
Command Line Interface Reference, StarOS Release 17 ▄
717
firewall tcp-syn-flood-intercept
This command allows you to configure the TCP intercept parameters to prevent TCP SYN flooding attacks by
intercepting and validating TCP connection requests for DoS protection mechanism configured with the
intercepting and validating TCP connection requests for DoS protection mechanism configured with the
dos-
protection
command.
Important:
In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS
8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later
releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy
Configuration Mode.
releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy
Configuration Mode.
Product
PSF
Privilege
Security Administrator, Administrator
Mode
Exec > ACS Configuration > Rulebase Configuration
active-charging service service_name > rulebase rulebase_name
Entering the above command sequence results in the following prompt:
[local]host_name(config-rule-base)#
Syntax
firewall tcp-syn-flood-intercept { mode { none | watch [ aggressive ] } | watch-timeout
intercept_watch_timeout }
intercept_watch_timeout }
default firewall tcp-syn-flood-intercept { mode | watch-timeout }
default
Sets the default values of TCP intercept parameters for SYN Flood DoS protection.
mode { none | watch [ aggressive ] }
Specifies the TCP SYN flood intercept mode:
none
: Disables TCP SYN flood intercept feature.
watch
: Configures TCP SYN flood intercept feature in watch mode. Stateful Firewall passively
watches to see if TCP connections become established within a configurable interval. If connections
are not established within the timeout period, Stateful Firewall clears the half-open connections by
sending RST to TCP client and server. The default watch-timeout for connection establishment is 30
seconds.
are not established within the timeout period, Stateful Firewall clears the half-open connections by
sending RST to TCP client and server. The default watch-timeout for connection establishment is 30
seconds.
aggressive
: Configures TCP SYN flood Intercept or Watch feature for aggressive behavior. Each
new connection request causes the oldest incomplete connection to be deleted. When operating in
watch mode, the watch timeout is reduced by half. If the watch-timeout is 30 seconds, under
aggressive conditions it becomes 15 seconds. When operating in intercept mode, the retransmit
timeout is reduced by half (i.e. if the timeout is 60 seconds, it is reduced to 30 seconds). Thus the
amount of time waiting for connections to be established is reduced by half (i.e. it is reduced to 150
seconds from 300 seconds under aggressive conditions).
watch mode, the watch timeout is reduced by half. If the watch-timeout is 30 seconds, under
aggressive conditions it becomes 15 seconds. When operating in intercept mode, the retransmit
timeout is reduced by half (i.e. if the timeout is 60 seconds, it is reduced to 30 seconds). Thus the
amount of time waiting for connections to be established is reduced by half (i.e. it is reduced to 150
seconds from 300 seconds under aggressive conditions).