Description Enable hardware-based SYN cookies, which protect against TCP SYN flood attacks.
Syntax [no] syn-cookie enable [on-threshold num off-threshold num]
NOTE: It may take up to 10 milliseconds for the ACOS device to detect and respond to crossover of either threshold.
Default Hardware-based SYN cookies are disabled by default. When the feature is enabled, there are no default settings for the on and off thresholds.
Mode Configuration mode
Usage Hardware-based SYN cookies are available only on some models.
If both hardware-based and software-based SYN cookies are enabled, only hardware-based SYN cookies are used. You can leave software-based SYN cookies enabled but they are not used. (Software-based SYN cookies are enabled at the virtual port level using the syn-cookie enable command.)
If you omit the on-threshold and off-threshold options, SYN cookies are enabled and are always on regardless of the number of half-open TCP connections present on the ACOS device.
This command globally enables SYN cookie support for SLB and also enables SYN cookie support for Layer 2/3 traffic. No additional configuration is required for SLB SYN cookie support. However, to use Layer 2/3 SYN cookie support, you also must enable it at the configuration level for individual interfaces. See the “ip tcp syn-cookie threshold” command in the Network Configuration Guide.
If L3V partitions are configured, hardware-based SYN cookies must be enabled per individual partition. Hardware-based SYN cookies are NOT partition-aware.
On FTA models only, it is recommended not to use hardware-based SYN cookies if DSR also is enabled. If both features are enabled, a client who sends TCP requests to a VIP that is configured for DSR will receive two SYN-ACKS, one from the ACOS hardware-based SYN-cookie feature, and the other from the server. This can be confusing to a client because the client expects only one SYN-ACK in reply to the client’s SYN.
Example The following command enables hardware-based SYN cookies:
The command in the following example configures dynamic SYN cookies when the number of concurrent half-open TCP connections exceeds 50000, and disables SYN cookies when the number falls below 30000: