ADTRAN 1000R Series Network Card User Manual


  Open as PDF
of 1373
 
Command Reference Guide Global Configuration Mode Command Set
61200510L1-35E Copyright © 2005 ADTRAN 422
ip firewall check syn-flood
Use the ip firewall check syn-flood command to enable the AOS stateful inspection firewall to filter out
phony TCP service requests and allow only legitimate requests to pass through. Use the no form of this
command to disable this feature.
Syntax Description
No subcommands.
Default Values
All AOS
security features are disabled by default until the ip firewall command is issued at the Global
Configuration prompt. In addition, the SYN-flood check is disabled until the ip firewall check syn-flood
command is issued.
Applicable Platforms
This command applies to the NetVanta 300, 1000R, 2000, 3000, 4000, and 5000 and Total Access 900
Series units.
Command History
Release 2.1 Command was introduced.
Functional Notes
SYN flooding is a well-known denial of service attack on TCP-based services. TCP requires a three-way
handshake before actual communications begin between two hosts. A server must allocate resources to
process new connection requests that are received. A potential intruder is capable of transmitting large
amounts of service requests (in a very short period of time), causing servers to allocate all resources to
process the phony incoming requests. Using the ip firewall check syn-flood command configures the
AOS
stateful inspection firewall to filter out phony service requests and allow only legitimate requests to
pass through.
Usage Examples
The following example enables the AOS
SYN-flood check:
(config)#ip firewall check syn-flood
The AOS security features must be enabled (using the ip firewall command) for the stateful
inspection firewall to be activated.