< Home

Configuring SYN Flood Attack Defense

This section describes how to configure global and interface-based SYN flood attack defense.

Prerequisites

The interface-based traffic statistics collection function is enabled.

Procedure

  • Configure global SYN flood attack defense.
    1. In the user view, run the system-view command to access the system view.
    2. Run the anti-ddos syn-flood source-detect command to enable global source authentication defense against SYN flood attacks.

      By default, the source authentication defense against SYN flood attacks is disabled.

    3. Run the anti-ddos syn-flood defend [ alert-rate alert-rate ] command to set the alarm threshold that triggers global source authentication defense against SYN flood attacks.

      By default, the defense is triggered when the rate of SYN packets destined for the same destination IP address reaches 2000 pps.

      The defense threshold can be automatically learned or manually configured. For details about the threshold learning configuration, see Configuring Threshold Learning.

    4. Optional: Run the anti-ddos hardware defend enable command to enable the global hardware-based defense function.

      By default, the hardware-based defense function is enabled.

      After the hardware-based defense function is enabled, attack traffic check and first-packet discarding for SYN packets can be performed on the hardware chip. To make the first-packet discarding function for SYN packets take effect, you also need to run the anti-ddos np-rule first-packet-check enable command.

    5. Run the anti-ddos first-packet-check syn [ interval { lower-limit lower-limit | upper-limit upper-limit } * ] command to enable the first-packet discarding function for SYN packets and specify the time interval.

      After source detection is enabled, you can enable the first-packet discarding function to reduce the number of rebound packets. When the rate of packets that pass the first-packet discarding detection reaches the source authentication alarm threshold, the packets enter the source detection process.

      For the USG6610E/6620E, USG6630E/6650E, USG6635E/6655E, USG6680E and USG6712E/6716E, you can run the anti-ddos np-rule first-packet-check enable command to enable the first-packet discarding function for SYN packets on the hardware chip, which helps reduce the CPU load.

      The first-packet discarding function on the hardware chip takes effect only after the first-packet discarding function of the CPU (anti-ddos first-packet-check) and the hardware-based defense function (anti-ddos hardware defend enable) are enabled.

    6. Optional: Run the anti-ddos first-packet-check ip-id enable command to enable the function of checking the identification fields in the IP headers of retransmitted packets.

      By default, the function of checking the identification fields in the IP headers of retransmitted packets is disabled.

      The function of checking the identification field in the IP packet header is an enhancement to the first-packet discarding function. The function takes effect only when the first-packet discarding function is enabled.

      Some normal clients send IP packets with the same identification field in packet headers. In this special case, the identification field verification function cannot be enabled. Otherwise, services may be affected.

  • Configure interface-based SYN flood source authentication defense.
    1. In the user view, access the system view.

      system-view

    2. Access the interface view.

      interface interface-type interface-number

    3. Configure interface-based SYN flood source authentication.

      anti-ddos syn-flood source-detect [ alert-rate alert-rate ]

      The SYN flood source authentication is triggered when the rate of incoming SYN packets on an interface reaches the threshold of alert-rate. alert-rate is an integer ranging from 1 to 80000000, in pps. The default value is 500000.

    4. Configure interface-based TCP proxy.

      anti-ddos syn-flood tcp-proxy [ alert-rate alert-rate ] [ max-rate max-rate ]

      The TCP proxy function is triggered when the rate of incoming SYN packets on an interface reaches the threshold of alert-rate. If max-rate is specified, rate limiting is performed on SYN packets, and excess SYN packets are discarded. If max-rate is not specified, indicating that rate limiting is not performed on SYN packets.

      Interface-based SYN flood source authentication and interface-based TCP proxy cannot be configured simultaneously, and only either of them can be configured at a time. The TCP proxy function applies only to scenarios in which the forward and return paths are the same. The source authentication function is not subject to this restriction. Therefore, the source authentication function is recommended.

      The attack defense threshold learning applies only to global DDoS attack defense and not to interface-based DDoS attack defense. Therefore, the threshold for interface-based SYN flood attack defense must be configured manually using the anti-ddos syn-flood tcp-proxy command.

Parent Topic: Configuring DDoS Attack Defense
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >