After you enable Naptha attack prevention, the device periodically checks the number of TCP connections in each state. If the number of TCP connections in a state exceeds the limit, the device will accelerate the aging of the TCP connections in that state. The check interval is set by the tcp check-state interval command. The TCP connection limits are set by the tcp state command.

Examples

# Enable Naptha attack prevention.

<Sysname> system-view

[Sysname] tcp anti-naptha enable

Related commands

tcp check-state interval

tcp state

tcp check-state interval

Use tcp check-state interval to set the interval for checking the number of TCP connections in each state.

Use undo tcp check-state interval to restore the default.

Syntax

tcp check-state interval interval

undo tcp check-state interval

Default

The interval for checking the number of TCP connections in each state is 30 seconds.

Views

System

Predefined user roles

network-admin

Parameter

interval: Specifies the check interval in the range of 1 to 60 seconds.

Usage guidelines

This command takes effect after you enable Naptha attack prevention.

After you enable Naptha attack prevention, the device checks the number of TCP connections in each state at intervals. If the number of TCP connections in a state exceeds the limit, the device will accelerate the aging of the TCP connections in that state.

Examples

# Set the interval to 40 seconds for checking the number of TCP connections in each state.

<Sysname> system-view

[Sysname] tcp check-state interval 40

Related commands

tcp anti-naptha enable

tcp state

Use tcp state to set the maximum number of TCP connections in a state.

Use undo tcp state to restore the default.

Syntax

tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack } connection-limit number

undo tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack } connection-limit

Default

The maximum number of TCP connections in each state (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, and LAST_ACK) is 50.

Views

System view

Predefined user roles

network-admin

Parameters

closing: Specifies the CLOSING state.

established: Specifies the ESTABLISHED state.

fin-wait-1: Specifies the FIN_WAIT_1 state.

fin-wait-2: Specifies the FIN_WAIT_2 state.

last-ack: Specifies the LAST_ACK state.

connection-limit number: Specifies the maximum number of TCP connections, in the range of 0 to 500. The value of 0 represents that the device does not accelerate the aging of the TCP connections in a state.

Usage guidelines

This command takes effect after you enable Naptha attack prevention. If the number of TCP connections in a state exceeds the limit, the device will accelerate the aging of the TCP connections in the state.

Examples

# Set the maximum number of TCP connections in the ESTABLISHED state to 100.

<Sysname> system-view

[Sysname] tcp state established connection-limit 100

Related commands

tcp anti-naptha enable

tcp check-state interval

ICMP attack prevention commands

display ip icmp fast-reply statistics

Use display ip icmp fast-reply statistics to display fast replied ICMP message statistics.

Syntax

In standalone mode:

display ip icmp fast-reply statistics [ slot slot-number ]

In IRF mode:

display ip icmp fast-reply statistics [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays fast replied ICMP message statistics on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays fast replied ICMP message statistics on all cards. (In IRF mode.)

Examples

# (In standalone mode.) Display fast replied ICMP message statistics.

<Sysname> display ip icmp fast-reply statistics slot 3

Number of fast replied ICMP messages: 419455

Related commands

reset ip icmp fast-reply statistics

display ipv6 icmpv6 fast-reply statistics

Use display ipv6 icmpv6 fast-reply statistics to display fast replied ICMPv6 message statistics.

Syntax

In standalone mode:

display ipv6 icmpv6 fast-reply statistics [ slot slot-number ]

In IRF mode:

display ipv6 icmpv6 fast-reply statistics [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays fast replied ICMPv6 message statistics on all cards. (In standalone mode.)

Examples

# (In standalone mode.) Display fast replied ICMPv6 message statistics.

<Sysname> display ipv6 icmpv6 fast-reply statistics slot 3

Number of fast replied ICMPv6 messages: 419455

Related commands

reset ipv6 icmpv6 fast-reply statistics

ip icmp fast-reply enable

Use ip icmp fast-reply enable to enable ICMP fast reply.

Use undo ip icmp fast-reply enable to disable ICMP fast reply.

Syntax

ip icmp fast-reply enable

undo ip icmp fast-reply enable

Default

ICMP fast reply is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The ICMP fast reply feature allows the hardware to reply to incoming ICMP requests, preventing ICMP request attacks.

Examples

# Enable ICMP fast reply.

<Sysname> system-view

[Sysname] ip icmp fast-reply enable

Related commands

ipv6 icmpv6 fast-reply enable

Use ipv6 icmpv6 fast-reply enable to enable ICMPv6 fast reply.

Use undo ipv6 icmpv6 fast-reply enable to disable ICMPv6 fast reply.

Syntax

ipv6 icmpv6 fast-reply enable

undo ipv6 icmpv6 fast-reply enable

Default

ICMPv6 fast reply is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The ICMPv6 fast reply feature allows the hardware to reply to incoming ICMPv6 requests, preventing ICMPv6 request attacks.

Examples

# Enable ICMPv6 fast reply.

<Sysname> system-view

[Sysname] ipv6 icmpv6 fast-reply enable

Related commands

ip icmp fast-reply enable

reset ip icmp fast-reply statistics

Use reset ip icmp fast-reply statistics to clear fast replied ICMP message statistics.

Syntax

In standalone mode:

reset ip icmp fast-reply statistics [ slot slot-number ]

In IRF mode:

reset ip icmp fast-reply statistics [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears fast replied ICMP message statistics on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears fast replied ICMP message statistics on all cards. (In IRF mode.)

Examples

# (In standalone mode.) Clear fast replied ICMP message statistics.

<Sysname> reset ip icmp fast-reply statistics slot 3

Related commands

display ip icmp fast-reply statistics

reset ipv6 icmpv6 fast-reply statistics

Use reset ipv6 icmpv6 fast-reply statistics to clear fast replied ICMP message statistics.

Syntax

In standalone mode:

reset ipv6 icmpv6 fast-reply statistics [ slot slot-number ]

In IRF mode:

reset ipv6 icmpv6 fast-reply statistics [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears fast replied ICMPv6 message statistics on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears fast replied ICMPv6 message statistics on all cards. (In IRF mode.)

Examples

# (In standalone mode.) Clear fast replied ICMPv6 message statistics.

<Sysname> reset ipv6 icmpv6 fast-reply statistics slot 3

Related commands

display ipv6 icmpv6 fast-reply statistics

TCP SYN flood attack prevention commands

display ipv6 tcp anti-syn-flood flow-based entry

Use display ipv6 tcp anti-syn-flood flow-based entry to display IPv6 flow-based TCP SYN flood attack prevention entries.

Syntax

In standalone mode:

display ipv6 tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * slot slot-number [ verbose ]

In IRF mode:

display ipv6 tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * chassis chassis-number slot slot-number [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays all IPv6 flow-based TCP SYN flood attack prevention entries on the public network and VPN instances. To display IPv6 flow-based TCP SYN flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays IPv6 flow-based TCP SYN flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv6 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command displays IPv6 flow-based TCP SYN flood attack prevention entries with all destination ports.

source ipv6-address: Specifies the source IPv6 address of the IPv6 TCP SYN flood attack packets. If you do not specify this option, the command displays IPv6 flow-based TCP SYN flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command displays IPv6 flow-based TCP SYN flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

verbose: Displays detailed information about IPv6 flow-based TCP SYN flood attack prevention entries. If you do not specify this keyword, the command displays brief information about IPv6 flow-based TCP SYN flood attack prevention entries.

Examples

# Display brief information about IPv6 flow-based TCP SYN flood attack prevention entries on slot 3 on the public network.

<Sysname> display ipv6 tcp anti-syn-flood flow-based entry slot3

SrcAddr DstPort VPN Type Packets dropped

2::1 179 -- IP 987654321

# Display detailed information about IPv6 flow-based TCP SYN flood attack prevention entries on slot 3 on the public network.

<Sysname> display ipv6 tcp anti-syn-flood flow-based entry slot 3 verbose

SrcAddr: 2::1

DstPort: 179

VPN: --

Type: IP

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/05/18 09:30:00

Packets dropped: 987654321

Table 1 Command output

Field	Description
SrcAddr	Source IPv6 address of the TCP SYN flood attack packets.
DstPort	Destination port number of the TCP SYN flood attack packets.
VPN	Name of the VPN instance. This field displays hyphens (--) for the public network.
Type	Packet type: MPLS or IP.
Hardware status	Status of the flow-based TCP SYN flood attack prevention entry setting to hardware: · Succeeded. · Failed. · Not enough resources.
Aging time	Remaining lifetime of the IPv6 flow-based TCP SYN flood attack prevention entry, in seconds.
Attack time	Time when the IPv6 TCP SYN flood attack was detected, in the format of YYYY/MM/DD HH:MM:SS.
Packets dropped	Total number of packets dropped by IPv6 flow-based TCP SYN flood attack prevention.

Related commands

reset ipv6 tcp anti-syn-flood flow-based entry

reset ipv6 tcp anti-syn-flood flow-based statistics

display ipv6 tcp anti-syn-flood flow-based entry count

Use display ipv6 tcp anti-syn-flood flow-based entry count to display the number of IPv6 flow-based TCP SYN flood attack prevention entries.

Syntax

In standalone mode:

display ipv6 tcp anti-syn-flood flow-based entry slot slot-number count

In IRF mode:

display ipv6 tcp anti-syn-flood flow-based entry chassis chassis-number slot slot-number count

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

Examples

# Display the number of IPv6 flow-based TCP SYN flood attack prevention entries on slot 3.

<Sysname> display ipv6 tcp anti-syn-flood flow-based entry slot 3 count

Total flow-based entries: 1

Table 2 Command output

Field	Description
Total flow-based entries	Total number of IPv6 flow-based TCP SYN flood attack prevention entries.

Related commands

reset ipv6 tcp anti-syn-flood flow-based entry

reset ipv6 tcp anti-syn-flood flow-based statistics

display tcp anti-syn-flood flow-based configuration

Use display tcp anti-syn-flood flow-based configuration display the configuration of flow-based TCP SYN flood attack prevention.

Syntax

display tcp anti-syn-flood flow-based configuration

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the configuration of flow-based TCP SYN flood attack prevention.

<Sysname> display tcp anti-syn-flood flow-based configuration

Flow-based TCP SYN flood attack prevention is enabled.

Check interval: 1 seconds

Duration: 5 minutes

Threshold: 100 packets per check interval

Table 3 Command output

Field	Description
Flow-based TCP SYN flood attack prevention is enabled.	The flow-based TCP SYN flood attack prevention feature is enabled.
Flow-based TCP SYN flood attack prevention is disabled.	The flow-based TCP SYN flood attack prevention feature is disabled.
Check interval	Check interval of flow-based TCP SYN flood attack prevention, in seconds.
Duration	Flow-based TCP SYN flood attack prevention duration, in minutes.
Threshold	Threshold for triggering flow-based TCP SYN flood attack prevention.

Related commands

tcp anti-syn-flood flow-based enable

display tcp anti-syn-flood flow-based entry

Use display tcp anti-syn-flood flow-based entry to display IPv4 flow-based TCP SYN flood attack prevention entries.

Syntax

In standalone mode:

display tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * slot slot-number [ verbose ]

In IRF mode:

display tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * chassis chassis-number slot slot-number [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays all IPv4 flow-based TCP SYN flood attack prevention entries on the public network and VPN instances. To display IPv4 flow-based TCP SYN flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays IPv4 flow-based TCP SYN flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv4 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command displays IPv4 flow-based TCP SYN flood attack prevention entries with all destination ports.

source ipv4-address: Specifies the source IPv4 address of the IPv4 TCP SYN flood attack packets. If you do not specify this option, the command displays IPv4 flow-based TCP SYN flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command displays IPv4 flow-based TCP SYN flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

verbose: Displays detailed information about IPv4 flow-based TCP SYN flood attack prevention entries. If you do not specify this keyword, the command displays brief information about IPv4 flow-based TCP SYN flood attack prevention entries.

Examples

# Display brief information about IPv4 flow-based TCP SYN flood attack prevention entries on slot 3 on the public network.

<Sysname> display tcp anti-syn-flood flow-based entry slot 3

SrcAddr DstPort VPN Type Packets dropped

1.1.1.1 179 -- MPLS 12345678

2.1.1.1 179 -- IP 87654321

# Display detailed information about IPv4 flow-based TCP SYN flood attack prevention entries on slot 3 on the public network.

<Sysname> display tcp anti-syn-flood flow-based entry slot 3 verbose

SrcAddr: 1.1.1.1

DstPort: 179

VPN: --

Type: MPLS

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/01/07 18:55:03

Packets dropped: 12345678

SrcAddr: 2.1.1.1

DstPort: 179

VPN: 1

Type: IP

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/05/18 09:30:00

Packets dropped: 87654321

Table 4 Command output

Field	Description
SrcAddr	Source IPv4 address of the TCP SYN flood attack packets.
DstPort	Destination port number of the TCP SYN flood attack packets.
VPN	Name of the VPN instance. This field displays hyphens (--) for the public network.
Type	Packet type: MPLS or IP.
Hardware status	Status of the flow-based TCP SYN flood attack prevention entry setting to hardware: · Succeeded. · Failed. · Not enough resources.
Aging time	Remaining lifetime of the IPv4 flow-based TCP SYN flood attack prevention entry, in seconds.
Attack time	Time when the TCP SYN flood attack was detected, in the format of YYYY/MM/DD HH:MM:SS.
Packets dropped	Total number of packets dropped by IPv4 flow-based TCP SYN flood attack prevention.

Related commands

reset tcp anti-syn-flood flow-based entry

reset tcp anti-syn-flood flow-based statistics

display tcp anti-syn-flood flow-based entry count

Use display tcp anti-syn-flood flow-based entry count to display the number of IPv4 flow-based TCP SYN flood attack prevention entries.

Syntax

In standalone mode:

display tcp anti-syn-flood flow-based entry slot slot-number count

In IRF mode:

display tcp anti-syn-flood flow-based entry chassis chassis-number slot slot-number count

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

Examples

# Display the number of IPv4 flow-based TCP SYN flood attack prevention entries on slot 3.

<Sysname> display tcp anti-syn-flood flow-based entry slot 3 count

Total flow-based entries: 2

Table 5 Command output

Field	Description
Total flow-based entries	Total number of IPv4 flow-based TCP SYN flood attack prevention entries.

Related commands

reset tcp anti-syn-flood flow-based entry

reset tcp anti-syn-flood flow-based statistics

display tcp anti-syn-flood interface-based configuration

Use display tcp anti-syn-flood interface-based configuration to display the configuration of interface-based TCP SYN flood attack prevention.

Syntax

display tcp anti-syn-flood interface-based configuration

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the configuration of interface-based TCP SYN flood attack prevention.

<Sysname> display tcp anti-syn-flood interface-based configuration

Interface-based TCP SYN flood attack prevention is enabled.

Check interval: 1 seconds

Duration: 5 minutes

Threshold: 100 packets per check interval

Table 6 Command output

Field	Description
Interfaced-based TCP SYN flood attack prevention is enabled.	The interfaced-based TCP SYN flood attack prevention feature is enabled.
Interface-based TCP SYN flood attack prevention is disabled.	The interface-based TCP SYN flood attack prevention feature is disabled.
Check interval	Check interval of interface-based TCP SYN flood attack prevention, in seconds.
Duration	Interface-based TCP SYN flood attack prevention duration, in minutes.
Threshold	Threshold for triggering interface-based TCP SYN flood attack prevention.

Related commands

tcp anti-syn-flood interface-based enable

display tcp anti-syn-flood interface-based entry

Use display tcp anti-syn-flood interface-based entry to display interface-based TCP SYN flood attack prevention entries.

Syntax

In standalone mode:

display tcp anti-syn-flood interface-based entry [ interface interface-type interface-number | type { ip | mpls } ] * slot slot-number [ verbose ]

In IRF mode:

display tcp anti-syn-flood interface-based entry [ interface interface-type interface-number | type { ip | mpls } ] * chassis chassis-number slot slot-number [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command displays interface-based TCP SYN flood attack prevention entries for all interfaces.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command displays interface-based TCP SYN flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

verbose: Displays detailed information about interface-based TCP SYN flood attack prevention entries. If you do not specify this keyword, the command displays brief information about interface-based TCP SYN flood attack prevention entries.

Examples

# Display brief information about interface-based TCP SYN flood attack prevention entries on slot 3.

<Sysname> display tcp anti-syn-flood interface-based entry slot 3

Interface Type Packets totally received

GE3/1/1 MPLS 18446744073709551615

GE3/1/2 IP 1234567

# Display detailed information about interface-based TCP SYN flood attack prevention entries on slot 3.

<Sysname> display tcp anti-syn-flood interface-based entry slot 3 verbose

Interface: GE3/1/1

Type: MPLS

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/08/07 10:33:35

Packets totally received: 18446744073709551615

Packets sent to CPU: 18446744073709551615

Interface: GE3/1/2

Type: IP

Hardware status: Succeeded

Aging time: 3210 seconds

Attack time: 2018/07/07 02:33:12

Packets totally received: 1234567

Packets sent to CPU: 1000000

Table 7 Command output

Field	Description
Interface	Interface where the TCP SYN flood attack is detected.
Type	Packet type: MPLS or IP.
Hardware status	Status of the interface-based TCP SYN flood attack prevention entry setting to hardware: · Succeeded. · Failed. · Not enough resources.
Aging time	Remaining lifetime of the interface-based TCP SYN flood attack prevention entry, in seconds.
Attack time	Time when the interface-based TCP SYN flood attack was detected, in the format of YYYY/MM/DD HH:MM:SS.
Packets totally received	Total number of received packets.
Packets sent to CPU	Number of packets sent to the CPU.

Related commands

reset tcp anti-syn-flood interface-based entry

reset tcp anti-syn-flood interface-based entry statistics

display tcp anti-syn-flood interface-based entry count

Use display tcp anti-syn-flood interface-based entry count to display the number of interface-based TCP SYN flood attack prevention entries.

Syntax

In standalone mode:

display tcp anti-syn-flood interface-based entry slot slot-number count

In IRF mode:

display tcp anti-syn-flood interface-based entry chassis chassis-number slot slot-number count

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

Examples

# Display the number of interface-based TCP SYN flood attack prevention entries on slot 3.

<Sysname> display tcp anti-syn-flood interface-based entry slot 3 count

Total interface-based entries: 2

Table 8 Command output

Field	Description
Total interface-based entries	Total number of interface-based TCP SYN flood attack prevention entries.

Related commands

reset tcp anti-syn-flood interface-based entry

reset tcp anti-syn-flood interface-based entry statistics

reset ipv6 tcp anti-syn-flood flow-based entry

Use reset ipv6 tcp anti-syn-flood flow-based entry to delete IPv6 flow-based TCP SYN flood attack prevention entries.

Syntax

In standalone mode:

reset ipv6 tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ slot slot-number ]

In IRF mode:

reset ipv6 tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

all: Deletes all IPv6 flow-based TCP SYN flood attack prevention entries on the public network and VPN instances. To delete IPv6 flow-based TCP SYN flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command deletes IPv6 flow-based TCP SYN flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv6 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command deletes IPv6 flow-based TCP SYN flood attack prevention entries with all destination ports.

source ipv6-address: Specifies the source IPv6 address of the IPv6 TCP SYN flood attack packets. If you do not specify this option, the command deletes IPv6 flow-based TCP SYN flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command deletes IPv6 flow-based TCP SYN flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes IPv6 flow-based TCP SYN flood attack prevention entries on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command deletes IPv6 flow-based TCP SYN flood attack prevention entries on all cards. (In IRF mode.)

Usage guidelines

If you do not specify any parameters, this command deletes all IPv6 flow-based TCP SYN flood attack prevention entries on the public network.

Examples

# Delete IPv6 flow-based TCP SYN flood attack prevention entries with source IP address 2000::1 and destination port number 200 on the public network.

<Sysname> reset ipv6 tcp anti-syn-flood flow-based entry destination-port 200 source 2000::1

Related commands

display ipv6 tcp anti-syn-flood flow-based entry

reset ipv6 tcp anti-syn-flood flow-based statistics

Use reset ipv6 tcp anti-syn-flood flow-based statistics to clear statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention.

Syntax

In standalone mode:

reset ipv6 tcp anti-syn-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ slot slot-number ]

In IRF mode:

reset ipv6 tcp anti-syn-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

all: Clears all statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network and VPN instances. To clear statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command clears statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network.

destination-port port-number: Specifies the destination port number of the IPv6 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command clears statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention with all destination ports.

source ipv6-address: Specifies the source IPv6 address of the IPv6 TCP SYN flood attack packets. If you do not specify this option, the command clears statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command clears statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on all cards. (In IRF mode.)

Usage guidelines

If you do not specify any parameters, this command clears statistics for all IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network.

Examples

# Clear statistics for IPv6 TCP SYN packets with source IPv6 address 2000::1 and destination port number 200 dropped by flow-based TCP SYN flood attack prevention on the public network.

<Sysname> reset ipv6 tcp anti-syn-flood flow-based statistics destination-port 200 source 2000::1

Related commands

display ipv6 tcp anti-syn-flood flow-based entry

reset tcp anti-syn-flood flow-based entry

Use reset tcp anti-syn-flood flow-based entry to delete IPv4 flow-based TCP SYN flood attack prevention entries.

Syntax

In standalone mode:

reset tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ slot slot-number ]

In IRF mode:

reset tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

all: Deletes all IPv4 flow-based TCP SYN flood attack prevention entries on the public network and VPN instances. To delete IPv4 flow-based TCP SYN flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command deletes IPv4 flow-based TCP SYN flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv4 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command deletes IPv4 flow-based TCP SYN flood attack prevention entries with all destination ports.

source ipv4-address: Specifies the source IPv4 address of the IPv4 TCP SYN flood attack packets. If you do not specify this option, the command deletes IPv4 flow-based TCP SYN flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command deletes IPv4 flow-based TCP SYN flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes IPv4 flow-based TCP SYN flood attack prevention entries on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command deletes IPv4 flow-based TCP SYN flood attack prevention entries on all cards. (In IRF mode.)

Usage guidelines

If you do not specify any parameters, this command deletes all IPv4 flow-based TCP SYN flood attack prevention entries on the public network.

Examples

# Delete IPv4 flow-based TCP SYN flood attack prevention entries with source IPv4 address 2.2.2.2 and destination port number 1024 on the public network.

<Sysname> reset tcp anti-syn-flood flow-based entry destination-port 1024 source 2.2.2.2

Related commands

display tcp anti-syn-flood flow-based entry

reset tcp anti-syn-flood flow-based statistics

Use reset tcp anti-syn-flood flow-based statistics to clear statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention.

Syntax

In standalone mode:

reset tcp anti-syn-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ slot slot-number ]

In IRF mode:

reset tcp anti-syn-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

all: Clears all statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network and VPN instances. To clear statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command clears statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network.

destination-port port-number: Specifies the destination port number of the IPv4 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command clears statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention with all destination ports.

source ipv4-address: Specifies the source IPv4 address of the IPv4 TCP SYN flood attack packets. If you do not specify this option, the command clears statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command clears statistics for IPv4 SYN packets dropped by flow-based TCP SYN flood attack prevention for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on all cards. (In IRF mode.)

Usage guidelines

If you do not specify any parameters, this command clears statistics for all IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network.

Examples

# Clear statistics for IPv4 TCP SYN packets with source IP address 2.2.2.2 and destination port number 1024 dropped by flow-based TCP SYN flood attack prevention on the public network.

<Sysname> reset tcp anti-syn-flood flow-based statistics destination-port 1024 source 2.2.2.2

Related commands

display tcp anti-syn-flood flow-based entry

reset tcp anti-syn-flood interface-based entry

Use reset tcp anti-syn-flood interface-based entry to delete interface-based TCP SYN flood attack prevention entries.

Syntax

In standalone mode:

reset tcp anti-syn-flood interface-based entry [ interface interface-type interface-number | type { ip | mpls } ] * [ slot slot-number ]

In IRF mode:

reset tcp anti-syn-flood interface-based entry [ interface interface-type interface-number | type { ip | mpls } ] * [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command deletes interface-based TCP SYN flood attack prevention entries for all interfaces.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command deletes interface-based TCP SYN flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes interface-based TCP SYN flood attack prevention entries on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command deletes interface-based TCP SYN flood attack prevention entries on all cards. (In IRF mode.)

Usage guidelines

If you do not specify any parameters, this command deletes all interface-based TCP SYN flood attack prevention entries.

Examples

# Delete all interface-based TCP SYN flood attack prevention entries.

<Sysname> reset tcp anti-syn-flood interface-based entry

Related commands

display tcp anti-syn-flood interface-based entry

reset tcp anti-syn-flood interface-based statistics

Use reset tcp anti-syn-flood interface-based statistics to clear statistics for TCP SYN packets received by interface-based TCP SYN flood attack prevention.

Syntax

In standalone mode:

reset tcp anti-syn-flood interface-based statistics [ interface interface-type interface-number | type { ip | mpls } ] * [ slot slot-number ]

In IRF mode:

reset tcp anti-syn-flood interface-based statistics [ interface interface-type interface-number | type { ip | mpls } ] * [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command clears statistics for TCP SYN packets received by interface-based TCP SYN flood attack prevention for all interfaces.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command clears statistics for TCP SYN packets received by interface-based TCP SYN flood attack prevention for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears statistics for SYN packets received by interface-based TCP SYN flood attack prevention on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears statistics for TCP SYN packets received by interface-based TCP SYN flood attack prevention on all cards. (In IRF mode.)

Usage guidelines

If you do not specify any parameters, this command clears statistics for all TCP SYN packets received by interface-based TCP SYN flood attack prevention.

Examples

# Clear statistics for all TCP SYN packets received by interface-based TCP SYN flood attack prevention.

<Sysname> reset tcp anti-syn-flood interface-based statistics

Related commands

display tcp anti-syn-flood interface-based entry

tcp anti-syn-flood flow-based duration

Use tcp anti-syn-flood flow-based duration to set the flow-based TCP SYN flood attack prevention duration.

Use undo tcp anti-syn-flood flow-based duration to restore the default.

Syntax

tcp anti-syn-flood flow-based duration minutes

undo tcp anti-syn-flood flow-based duration

Default

The flow-based TCP SYN flood attack prevention duration is 5 minutes.

Views

System view

Predefined user roles

network-admin

Parameters

minutes: Specifies the flow-based TCP SYN flood attack prevention duration in minutes. The value range is of 1 to 3600.

Usage guidelines

After you enable flow-based TCP SYN flood attack prevention, the device enters attack detection state. When the device detects an attack, it changes to prevention state and drops subsequent SYN packets received in the TCP SYN flood attack prevention duration. The device returns to the attack detection state when the duration expires.

Examples

# Set the flow-based TCP SYN flood attack prevention duration to 10 minutes.

<Sysname> system-view

[Sysname] tcp anti-syn-flood flow-based duration 10

Related commands

display tcp anti-syn-flood flow-based configuration

tcp anti-syn-flood flow-based enable

tcp anti-syn-flood flow-based check-interval

tcp anti-syn-flood flow-based threshold

tcp anti-syn-flood flow-based enable

Use tcp anti-syn-flood flow-based enable to enable flow-based TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood flow-based enable to disable flow-based TCP SYN flood attack prevention.

Syntax

tcp anti-syn-flood flow-based enable

undo tcp anti-syn-flood flow-based enable

Default

Flow-based TCP SYN flood attack prevention is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

A SYN flood attacker exploits the TCP three-way handshake characteristics and makes the victim unresponsive to legal users. An attacker sends a large number of SYN packets to a server. This causes the server to open a large number of half-open connections and respond to the requests. However, the server will never receive the expected ACK packets. Because all of its resources are bound to half-open connections, the server is unable to accept new incoming connection requests.

The flow-based TCP SYN flood attack prevention feature monitors the SYN packet receiving rate. When the number of received SYN packets within a check interval reaches or exceeds the threshold, the device determines that an attack occurs and drops subsequent SYN packets.

Examples

# Enable flow-based TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood flow-based enable

Related commands

display tcp anti-syn-flood flow-based configuration

tcp anti-syn-flood flow-based check-interval

tcp anti-syn-flood flow-based threshold

tcp anti-syn-flood flow-based duration

tcp anti-syn-flood flow-based threshold

Use tcp anti-syn-flood flow-based threshold to set the threshold for triggering flow-based TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood flow-based threshold to restore the default.

Syntax

tcp anti-syn-flood flow-based threshold threshold-value

undo tcp anti-syn-flood flow-based threshold

Default

The threshold is 100 packets per check interval for triggering flow-based TCP SYN flood attack prevention.

Views

System view

Predefined user roles

network-admin

Parameters

threshold threshold-value: Specifies the threshold for triggering flow-based TCP SYN flood attack prevention, in the range of 1 to 1000000.

Usage guidelines

Examples

# Set the threshold to 200 for triggering flow-based TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood flow-based threshold 200

Related commands

display anti-syn-flood flow-based configuration

tcp anti-syn-flood flow-based check-interval

tcp anti-syn-flood flow-based enable

tcp anti-syn-flood flow-based duration

tcp anti-syn-flood interface-based check-interval

Use tcp anti-syn-flood interface-based check-interval to set the check interval for interface-based TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood interface-based check-interval to restore the default.

Syntax

tcp anti-syn-flood interface-based check-interval interval

undo tcp anti-syn-flood interface-based check-interval

Default

The check interval is 1 second for interface-based TCP SYN flood attack prevention.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the check interval for interface-based TCP SYN flood attack prevention, in seconds. The value range is 1 to 60.

Usage guidelines

The interface-based TCP SYN flood attack prevention feature monitors the number of received SYN flood packets on a per interface basis. When the number of received SYN packets within a check interval exceeds the threshold on an interface, the device enters prevention state and limits SYN packet receiving rate on the interface.

If attacks occur frequently in your network, set a short check interval so that TCP SYN flood attacks can be detected in a timely manner. If attacks seldom occur, you can set a long check interval.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the check interval to 30 seconds for interface-based TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood interface-based check-interval 30

Related commands

display tcp anti-syn-flood interface-based configuration

tcp anti-syn-flood interface-based duration

tcp anti-syn-flood interface-based enable

tcp anti-syn-flood interface-based threshold

tcp anti-syn-flood interface-based duration

Use tcp anti-syn-flood interface-based duration to set the interface-based TCP SYN flood attack prevention duration.

Use undo tcp anti-syn-flood interface-based duration to restore the default.

Syntax

tcp anti-syn-flood interface-based duration minutes

undo tcp anti-syn-flood interface-based duration

Default

The interface-based TCP SYN flood attack prevention duration is 5 minutes.

Views

System view

Predefined user roles

network-admin

Parameters

minutes: Specifies the interface-based TCP SYN flood attack prevention duration in minutes. The value range is of 1 to 3600.

Usage guidelines

After you enable interface-based TCP SYN flood attack prevention, the device enters attack detection state. When the device detects an attack, it changes to prevention state and limits the receiving rate of subsequent SYN packets in the TCP SYN flood attack prevention duration. The device returns to attack detection state when the duration expires.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the interface-based TCP SYN flood attack prevention duration to 1 minute.

<Sysname> system-view

[Sysname] tcp anti-syn-flood interface-based duration 1

Related commands

display tcp anti-syn-flood interface-based configuration

tcp anti-syn-flood interface-based check-interval

tcp anti-syn-flood interface-based enable

tcp anti-syn-flood interface-based threshold

tcp anti-syn-flood interface-based enable

Use tcp anti-syn-flood interface-based enable to enable interface-based TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood interface-based enable to disable interface-based TCP SYN flood attack prevention.

Syntax

tcp anti-syn-flood interface-based enable

undo tcp anti-syn-flood interface-based enable

Default

Interface-based TCP SYN flood attack prevention is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The interface-based TCP SYN flood attack prevention feature monitors the SYN packet receiving rate on a per interface basis. When the number of received SYN packets within a check interval reaches or exceeds the threshold on an interface, the device determines that an attack occurs and limits the SYN packet receiving rate on the interface.

Examples

# Enable interface-based TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood interface-based enable

Related commands

display tcp anti-syn-flood interface-based configuration

tcp anti-syn-flood interface-based duration

tcp anti-syn-flood interface-based check-interval

tcp anti-syn-flood interface-based threshold

Use tcp anti-syn-flood interface-based threshold to set the threshold for triggering interface-based TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood interface-based threshold to restore the default.

Syntax

tcp anti-syn-flood interface-based threshold threshold-value

undo tcp anti-syn-flood interface-based threshold

Default

The threshold is 100 packets per check interval for triggering interface-based TCP SYN flood attack prevention.

Views

System view

Predefined user roles

network-admin

Parameters

threshold threshold-value: Specifies the threshold for triggering interface-based TCP SYN flood attack prevention, in the range of 1 to 1000000.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the threshold to 10000 for triggering interface-based TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood interface-based threshold 10000

Related commands

display tcp anti-syn-flood interface-based configuration

tcp anti-syn-flood interface-based check-interval

tcp anti-syn-flood interface-based duration

tcp anti-syn-flood interface-based enable

tcp anti-syn-flood log enable

Use tcp anti-syn-flood log enable to enable logging for TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood log enable to disable logging for TCP SYN flood attack prevention.

Syntax

tcp anti-syn-flood log enable

undo tcp anti-syn-flood log enable

Default

Logging is disabled for TCP SYN flood attack prevention.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature generates TCP SYN flood attack prevention logs and sends them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

To avoid the device performance being degraded by excessive TCP SYN flood attack prevention logs, disable this feature as a best practice. Enable this feature only for auditing or troubleshooting.

Examples

# Enable logging for TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood log enable

Related commands

tcp anti-syn-flood flow-based enable

tcp anti-syn-flood interface-based enable

tcp anti-syn-flood flow-based check-interval

Use tcp anti-syn-flood flow-based check-interval to set the check interval for flow-based TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood flow-based check-interval to restore the default.

Syntax

tcp anti-syn-flood flow-based check-interval interval

undo tcp anti-syn-flood flow-based check-interval

Default

The check interval is 1 second for flow-based TCP SYN flood attack prevention.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the check interval for flow-based TCP SYN flood attack prevention, in seconds. The value range is 1 to 60.

Usage guidelines

The flow-based TCP SYN flood attack prevention feature uses the source IP address, destination port number, VPN instance, and packet type to identify a flow. When the number of received SYN packets within a check interval exceeds the threshold, the device enters prevention state and drops subsequent SYN packets.

If attacks occur frequently in your network, set a short check interval so that TCP SYN flood attacks can be detected in a timely manner. If attacks seldom occur, you can set a long check interval.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the check interval to 30 seconds for flow-based TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood flow-based check-interval 30

Related commands

display tcp anti-syn-flood flow-based configuration

tcp anti-syn-flood flow-based enable

tcp anti-syn-flood flow-based duration

tcp anti-syn-flood flow-based threshold

12-Security Command Reference

TCP and ICMP attack prevention commands

reset ipv6 tcp anti-syn-flood flow-based entry

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us