Cisco Cisco Packet Data Gateway (PDG) 故障排查指南
Active Charging Service Configuration Mode Commands
▀ firewall tcp-syn-flood-intercept
▄ Cisco ASR 5000 Series Command Line Interface Reference
OL-22948-01
watch mode, the watch timeout is reduced by half. If the watch-timeout is 30 seconds, under
aggressive conditions it becomes 15 seconds. When operating in intercept mode, the retransmit
timeout is reduced by half (i.e. if the timeout is 60 seconds, it is reduced to 30 seconds). Thus, the
amount of time waiting for connections to be established is reduced by half (i.e. it is reduced to 150
seconds from 300 seconds under aggressive conditions).
aggressive conditions it becomes 15 seconds. When operating in intercept mode, the retransmit
timeout is reduced by half (i.e. if the timeout is 60 seconds, it is reduced to 30 seconds). Thus, the
amount of time waiting for connections to be established is reduced by half (i.e. it is reduced to 150
seconds from 300 seconds under aggressive conditions).
Default: 60
Specifies the SYN-Proxy retransmit timeout in seconds. System waits for this period before sending proxy
SYN to the target. This keyword works in conjunction with
Specifies the SYN-Proxy retransmit timeout in seconds. System waits for this period before sending proxy
SYN to the target. This keyword works in conjunction with
keyword.
specifies the duration in seconds the system waits before sending proxy SYN, and
must be an integer from 15 through 60.
Default: 30
specifies the TCP intercept watch timeout in seconds, and must be an
integer from 5 through 30.
Usage
This TCP intercept functionality provides protection against TCP SYN Flooding attacks.
The system captures TCP SYN requests and responds with TCP SYN-ACKs. If a connection initiator
completes the handshake with a TCP ACK, the TCP connection request is considered as valid by system and
system forwards the initial TCP SYN to the valid target which triggers the target to send a TCP SYN-ACK.
Now system intercepts with TCP SYN-ACK and sends the TCP ACK to complete the TCP handshake. Any
TCP packet received before the handshake completion will be discarded.
The system captures TCP SYN requests and responds with TCP SYN-ACKs. If a connection initiator
completes the handshake with a TCP ACK, the TCP connection request is considered as valid by system and
system forwards the initial TCP SYN to the valid target which triggers the target to send a TCP SYN-ACK.
Now system intercepts with TCP SYN-ACK and sends the TCP ACK to complete the TCP handshake. Any
TCP packet received before the handshake completion will be discarded.
Example
The following command sets the maximum number of attempts for sending proxy SYN to the target to :
The following command sets the maximum number of attempts for sending proxy SYN to the target to :