SYN Protection Commands

This chapter contains the following sections:

security-suite syn protection mode

To protect TCP SYN attacks and set its protection mode, use the security-suite syn protection mode Global Configuration mode command.

Syntax

security-suite syn protection mode {block | disabled | report}

Parameters

block—Blocks the TCP SYN traffic from attacking ports destined to the local system, and generates a rate-limited syslog message.

disabled— Disables the SYN protection feature.

report—Reports for the SYN protection feature about TCP SYN traffic per port (including rate-limited syslog message when an attack is identified).

Default Configuration

The default mode is block.

Command Mode

Global Configuration mode

Example

The following example enables SYN protection in block mode on the switch:

switchxxxxxx(config)# security-suite syn protection mode block

security-suite syn protection recovery

To set the time period for SYN protection to block an attacked interface, use the security-suite syn protection recovery Global Configuration mode command.

Syntax

security-suite syn protection recovery seconds

Parameters

seconds—The timeout in seconds by which an interface from which SYN packets are blocked gets unblocked. Note that if a SYN attack is still active on this interface, it may become blocked again. (Range: 10 to 600 seconds)

Default Configuration

The default timeout is 60 seconds.

Command Mode

Global Configuration mode

User Guidelines

If the timeout is modified, the new value is only used on interfaces that are not currently under attack.

Example

The following example sets the SYN protection auto-recovery timeout to 100 seconds:

switchxxxxxx(config)# security-suite syn protection recovery 100

security-suite syn protection threshold

To set the SYN protection threshold, use the security-suite syn protection threshold Global Configuration mode command.

Syntax

security-suite syn protection threshold pps

Parameters

pps—The number of packets per second from a specific port that triggers identification of TCP SYN attack. (Range: 20 to 60 packets per second)

Default Configuration

The default SYN protection threshold is 60 packets per second.

Command Mode

Global Configuration mode

Example

The following example sets the SYN protection threshold to 40 packets per second:

switchxxxxxx(config)# security-suite syn protection threshold 40

show security-suite syn protection

To show the SYN protection settings and the operational status per interface, use the show security-suite syn protection Privileged EXEC Mode command.

Syntax

show security-suite syn protection

Parameters

N/A

Command Mode

Privileged EXEC Mode

Example

switchxxxxxx# show security-suite syn protection
Protection Mode: Block
Threshold: 80
Recovery : 60
 Interface   Operational                    Last Attack
 Name        Status
----------- ------------- ---------------------------------------------
    	gi13       	Normal      	00:57:11 01-Jan-2000 blocked and reported

The following table describes the significant fields shown in the example:

Field

Description

Protection Mode

Action when the SYN flood attack is detected.

  • Block—The TCP SYN traffic from attacking ports destined to the local system is blocked, and a rate-limited syslog message is generated.

  • Disabled—The SYN protection feature is disabled.

  • Report—The TCP SYN traffic from attacking ports destined to the local system is blocked, and a rate-limited syslog message is generated. The SYN protection feature reports about TCP SYN traffic per port (including rate-limited syslog message when an attack is identified).

Threshold

Number of packets per second from a specific port that triggers identification of TCP SYN attack.

Recovery

Auto-recovery timeout by which a port from which SYN packets are blocked gets unblocked.

Interface Name

Interface identifier.

Operational Status

Shows that SYN protection is enabled or disabled on the interface.

Last Attack

Time of the last SYN flood attack detected on the interface.