anti-ddos first-packet-check

Only the USG6510E/6510E-POE/6530E do not support this command.

By default, the first-packet discarding function for SYN packets is disabled.

The first-packet discarding function must be used together with the source authentication function. Before using the first-packet discarding function, run the anti-ddos syn-flood source-detect (System view) or anti-ddos syn-flood source-detect (Interface view) command to enable source authentication defense against SYN flood attacks.

Some attacks continuously change source IP addresses or source ports. If the source authentication mode is used for defense, each attack packet is replied. When the attack traffic is heavy, the replying amount is also large, which consumes a lot of performance and causes link congestion.

The FW performs first-packet discarding detection on the received packets. After the number of packets passing the first-packet discarding detection reaches the alarm threshold, the source authentication process continues to reduce the number of reply packets.

The first-packet discarding function uses the TCP retransmission mechanism. The FW discards the first received packet and records the 3-tuple information and time of the packet. If a subsequent packet matches the 3-tuple and the time interval between this packet and the last packet matching the same triple is between the lower-limit and upper-limit, this packets is identified as a retransmitted packet and directly permitted. When the rate of retransmitted packets to the same destination IP address reaches the source authentication alarm threshold, the retransmitted packets enter the source authentication process.