ADTRAN 1000R Series ip firewall check syn-flood

Command Reference Guide Global Configuration Mode Command Set

ip firewall check syn-flood

Use the ip firewall check syn-flood command to enable the AOS stateful inspection firewall to filter out

phony TCP service requests and allow only legitimate requests to pass through. Use the no form of this

command to disable this feature.

Syntax Description

No subcommands.

Default Values

All AOS

security features are disabled by default until th e ip firewall command is issued at the Global

Configuration prompt. In addition, the SYN-flood check is disabled until the ip firewall check syn-flood

command is issued.

Applicable Platforms

This command applies to the NetVanta 300, 1000R, 2000, 3000, 4000, and 5000 and Total Access 900

Series units.

Command History

Release 2.1 Command was introduced.

Functional Notes

SYN flooding is a well-known denial of service attack on TCP-based services. TCP requires a three-way

handshake before actual communications begin between two hosts. A server must allocate resources to

process new connection requests that are received. A potential intru der is capable of tran sm ittin g larg e

amounts of service requests (in a very short period of time), causing servers to allocate all resources to

process the phony incoming requests. Using the ip firewall check syn-flood command configures the

AOS

stateful inspection firewall to filter out phony service requests and allow only legitimate requests to

pass through.

Usage Examples

The following example enable s the AOS

SYN-flood check:

(config)#ip firewall check syn-flood

The AOS security featur es must be enabled (using the ip firewall command) for the stateful

inspection firewall to be activated.