Login
- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X_Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05 Password Control Commands
- 06-Public Key Commands
- 07-IPsec Commands
- 08-SSH Commands
- 09-Blacklist Commands
- 10-TCP and ICMP Attack Protection Commands
- 11-IP Source Guard Commands
- 12-ARP Attack Protection Commands
- 13-ND Attack Defense Commands
- 14-URPF Commands
- 15-PKI Commands
- 16-SSL Commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 10-TCP and ICMP Attack Protection Commands | 70.66 KB |
display tcp status
Syntax
display tcp status [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display tcp status command to display status of all TCP connections for monitoring TCP connections.
Examples
# Display status of all TCP connections.
<Sysname> display tcp status
*: TCP MD5 Connection
TCPCB Local Add:port Foreign Add:port State
03e37dc4 0.0.0.0:4001 0.0.0.0:0 Listening
04217174 100.0.0.204:23 100.0.0.253:65508 Established
Table 1 Output description
|
Field |
Description |
|
*: TCP MD5 Connection |
The asterisk (*) indicates that the TCP connection is secured by MD5 encryption. |
|
TCPCB |
TCP control block |
|
Local Add:port |
Local IP address and port number |
|
Foreign Add:port |
Remote IP address and port number |
|
State |
State of the TCP connection |
ip icmp fragment discarding
Syntax
ip icmp fragment discarding
undo ip icmp fragment discarding
View
System view
Default level
2: System level
Parameters
None
Description
Use the ip icmp fragment discarding command to disable the switch from forwarding ICMP fragments.
Use the undo ip icmp fragment discarding command to enable the switch to forward ICMP fragments.
By default, the switch is enabled to forward ICMP fragments.
Examples
# Disable the switch from forwarding ICMP fragments.
<Sysname> system-view
[Sysname] ip icmp fragment discarding
tcp anti-naptha enable
Syntax
tcp anti-naptha enable
undo tcp anti-naptha enable
View
System view
Default level
2: System level
Parameters
None
Description
Use the tcp anti-naptha enable command to enable the protection against Naptha attack.
Use the undo tcp anti-naptha enable command to disable the protection against Naptha attack.
By default, the protection against Naptha attack is disabled.
Note that the configurations made by using the tcp state and tcp timer check-state commands will be removed after the protection against Naptha attack is disabled.
Examples
# Enable the protection against Naptha attack.
<Sysname> system-view
[Sysname] tcp anti-naptha enable
tcp state
Syntax
tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack | syn-received } connection-number number
undo tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack | syn-received } connection-number
View
System view
Default level
2: System level
Parameters
closing: CLOSING state of a TCP connection.
established: ESTABLISHED state of a TCP connection.
fin-wait-1: FIN_WAIT_1 state of a TCP connection.
fin-wait-2: FIN_WAIT_2 state of a TCP connection.
last-ack: LAST_ACK state of a TCP connection.
syn-received: SYN_RECEIVED state of a TCP connection.
connection-number number: Maximum number of TCP connections in a certain state. The argument number is in the range of 0 to 500.
Description
Use the tcp state command to configure the maximum number of TCP connections in a state. When this number is exceeded, the aging of TCP connections in this state will be accelerated.
Use the undo tcp state command to restore the default.
By default, the maximum number of TCP connections in each state is 5.
Note the following points:
· You need to enable the protection against Naptha attack before executing this command. Otherwise, an error will be prompted.
· You can respectively configure the maximum number of TCP connections in each state.
· If the maximum number of TCP connections in a state is 0, the aging of TCP connections in this state will not be accelerated.
Related commands: tcp anti-naptha enable.
Examples
# Set the maximum number of TCP connections in the ESTABLISHED state to 100.
<Sysname> system-view
[Sysname] tcp anti-naptha enable
[Sysname] tcp state established connection-number 100
tcp syn-cookie enable
Syntax
tcp syn-cookie enable
undo tcp syn-cookie enable
View
System view
Default level
2: System level
Parameters
None
Description
Use the tcp syn-cookie enable command to enable the SYN Cookie feature to protect the switch against SYN Flood attacks.
Use the undo tcp syn-cookie enable command to disable the SYN Cookie feature.
By default, the SYN Cookie feature is enabled.
Examples
# Enable the SYN Cookie feature.
<Sysname> system-view
[Sysname] tcp syn-cookie enable
tcp timer check-state
Syntax
tcp timer check-state time-value
undo tcp timer check-state
View
System view
Default level
2: System level
Parameters
time-value: TCP connection state check interval in seconds, in the range of 1 to 60.
Description
Use the tcp timer check-state command to configure the TCP connection state check interval.
Use the undo tcp timer check-state command to restore the default.
By default, the TCP connection state check interval is 30 seconds.
The switch periodically checks the number of TCP connections in each state. If it detects that the number of TCP connections in a state exceeds the maximum number, it will accelerate the aging of TCP connections in such a state.
Note that you need to enable the protection against Naptha attack before executing this command. Otherwise, an error will be prompted.
Related commands: tcp anti-naptha enable.
Example
# Set the TCP connection state check interval to 40 seconds.
<Sysname> system-view
[Sysname] tcp anti-naptha enable
[Sysname] tcp timer check-state 40
