The anti-ddos syn-flood tcp-proxy command enables the interface-based TCP proxy function.
The undo anti-ddos syn-flood tcp-proxy command disables the interface-based TCP proxy function.
anti-ddos syn-flood tcp-proxy [ alert-rate alert-rate ] [ max-rate max-rate ]
undo anti-ddos syn-flood tcp-proxy
| Parameter | Description | Value |
|---|---|---|
| alert-rate alert-rate | Specifies an alarm threshold that triggers the TCP proxy to prevent SYN flood attacks. | The value is an integer ranging from 1 to 1200000, in pps. The default value is 1000. |
| max-rate max-rate | Specifies the maximum threshold for SYN packets. | The value is an integer ranging from 1 to 1200000, in pps. If max-rate is not specified, indicating that rate limiting is not performed on SYN packets. |
Ethernet interface view, Ethernet sub-interface view, Layer-2 Ethernet interface view, Layer-2 Ethernet sub-interface view, Eth-Trunk interface view, Layer-2 Eth-Trunk interface view, Eth-Trunk sub-interface view, Layer-2 Eth-Trunk sub-interface view, Virtual interface view
By default, the function is disabled.
If the rate of SYN packets reaches alert-rate, defense is triggered, and the FW implements the TCP proxy function to protect against SYN flood attacks. If max-rate is specified, rate limiting is performed on SYN packets, and excess SYN packets are discarded. If max-rate is not specified, indicating that rate limiting is not performed on SYN packets.
The attack defense threshold obtained in threshold learning applies to only global DDoS attack defense and not to interface-based DDoS attack defense. Therefore, the threshold for interface-based SYN flood attack defense can be configured only by using the anti-ddos syn-flood tcp-proxy command.
# Enable the interface-based SYN flood attack defense function so that the interface-based TCP proxy function is triggered when the rate of SYN packets exceeds 2000 pps.
<sysname> system-view [sysname] interface GigabitEthernet 0/0/2 [sysname-GigabitEthernet0/0/2] anti-ddos syn-flood tcp-proxy alert-rate 2000