Command Reference Guide
SROS Command Line Interface Reference Guide Global Configuration Mode Command Set
5991-2114 © Copyright 2005 Hewlett-Packard Development Company, L.P. 280
ip firewall check syn-flood
Use the ip firewall check syn-flood command to enable the Secure Router OS stateful inspection firewall
to filter out phony TCP service requests and allow only legitimate requests to pass through. Use the no
form of this command to disable this feature.
Syntax Description
No subcommands.
Default Values
All
Secure Router OS
security features are disabled by default until the ip firewall command is issued at
the Global Configuration prompt. In addition, the SYN-flood check is disabled until the ip firewall check
syn-flood command is issued.
Command Modes
(config)# Global Configuration Mode
Functional Notes
SYN Flooding is a well-known denial of service attack on TCP-based services. TCP requires a three-way
handshake before actual communications begin between two hosts. A server must allocate resources to
process new connection requests that are received. A potential intruder is capable of transmitting large
amounts of service requests (in a very short period of time), causing servers to allocate all resources to
process the phony incoming requests. Using the ip firewall check syn-flood command configures the
Secure Router OS stateful inspection firewall to filter out phony service requests and allow only legitimate
requests to pass through.
Usage Examples
The following example enables the Secure Router OS syn-flood check:
(config)#ip firewall check syn-flood
Note
The Secure Router OS security features must be enabled (using the ip firewall command)
for the stateful inspection firewall to be activated.