Login
- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05 Password Control Commands
- 06-Public Key Commands
- 07-IPsec Commands
- 08-SSH Commands
- 09-Blacklist Commands
- 10-TCP and ICMP Attack Protection Commands
- 11-IP Source Guard Commands
- 12-ARP Attack Protection Commands
- 13-ND Attack Defense Commands
- 14-URPF Commands
- 15-PKI Commands
- 16-SSL Commands
- 17-FIPS Commands
- 18-Attack Detection and Protection Commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 10-TCP and ICMP Attack Protection Commands | 65.11 KB |
display tcp status
Syntax
display tcp status [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display tcp status to display status of all TCP connections for monitoring TCP connections.
Examples
# Display status of all TCP connections.
<Sysname> display tcp status
*: TCP MD5 Connection
TCPCB Local Add:port Foreign Add:port State
03e37dc4 0.0.0.0:4001 0.0.0.0:0 Listening
04217174 100.0.0.204:23 100.0.0.253:65508 Established
Table 1 Command output
|
Field |
Description |
|
*: TCP MD5 Connection |
Asterisk (*) indicates that the TCP connection is secured by MD5 encryption. |
|
TCPCB |
TCP control block. |
|
Local Add:port |
Local IP address and port number. |
|
Foreign Add:port |
Remote IP address and port number. |
|
State |
State of the TCP connection. |
ip icmp fragment discarding
Syntax
ip icmp fragment discarding
undo ip icmp fragment discarding
View
System view
Default level
2: System level
Parameters
None
Description
Use ip icmp fragment discarding to disable the switch from forwarding ICMP fragments.
Use undo ip icmp fragment discarding to enable the switch to forward ICMP fragments.
By default, the switch is enabled to forward ICMP fragments.
Examples
# Disable the switch from forwarding ICMP fragments.
<Sysname> system-view
[Sysname] ip icmp fragment discarding
tcp anti-naptha enable
Syntax
tcp anti-naptha enable
undo tcp anti-naptha enable
View
System view
Default level
2: System level
Parameters
None
Description
Use tcp anti-naptha enable to enable the protection against Naptha attack.
Use undo tcp anti-naptha enable to disable the protection against Naptha attack.
By default, the protection against Naptha attack is disabled.
Note that the configurations made by using the tcp state and tcp timer check-state commands will be removed after the protection against Naptha attack is disabled.
Examples
# Enable the protection against Naptha attack.
<Sysname> system-view
[Sysname] tcp anti-naptha enable
tcp state
Syntax
tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack | syn-received } connection-number number
undo tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack | syn-received } connection-number
View
System view
Default level
2: System level
Parameters
closing: CLOSING state of a TCP connection.
established: ESTABLISHED state of a TCP connection.
fin-wait-1: FIN_WAIT_1 state of a TCP connection.
fin-wait-2: FIN_WAIT_2 state of a TCP connection.
last-ack: LAST_ACK state of a TCP connection.
syn-received: SYN_RECEIVED state of a TCP connection.
connection-number number: Maximum number of TCP connections in a certain state. The argument number is in the range of 0 to 500.
Description
Use tcp state to configure the maximum number of TCP connections in a state. When this number is exceeded, the aging of TCP connections in this state will be accelerated.
Use undo tcp state to restore the default.
By default, the maximum number of TCP connections in each state is 5.
You need to enable the protection against Naptha attack before executing this command. Otherwise, an error will be prompted.
You can respectively configure the maximum number of TCP connections in each state.
If the maximum number of TCP connections in a state is 0, the aging of TCP connections in this state will not be accelerated.
Related commands: tcp anti-naptha enable.
Examples
# Set the maximum number of TCP connections in ESTABLISHED state to 100.
<Sysname> system-view
[Sysname] tcp anti-naptha enable
[Sysname] tcp state established connection-number 100
tcp syn-cookie enable
Syntax
tcp syn-cookie enable
undo tcp syn-cookie enable
View
System view
Default level
2: System level
Parameters
None
Description
Use tcp syn-cookie enable to enable the SYN Cookie feature to protect the switch against SYN Flood attacks.
Use undo tcp syn-cookie enable to disable the SYN Cookie feature.
By default, the SYN Cookie feature is enabled.
Examples
# Enable the SYN Cookie feature.
<Sysname> system-view
[Sysname] tcp syn-cookie enable
tcp timer check-state
Syntax
tcp timer check-state time-value
undo tcp timer check-state
View
System view
Default level
2: System level
Parameters
time-value: TCP connection state check interval in seconds, in the range of 1 to 60.
Description
Use tcp timer check-state to configure the TCP connection state check interval.
Use undo tcp timer check-state to restore the default.
By default, the TCP connection state check interval is 30 seconds.
The switch periodically checks the number of TCP connections in each state. If it detects that the number of TCP connections in a state exceeds the maximum number, it will accelerate the aging of TCP connections in such a state.
You need to enable the protection against Naptha attack before executing this command. Otherwise, an error will be prompted.
Related commands: tcp anti-naptha enable.
Example
# Set the TCP connection state check interval to 40 seconds.
<Sysname> system-view
[Sysname] tcp anti-naptha enable
[Sysname] tcp timer check-state 40
