60To enable the SYN Cookie feature:To do... Use the command... Remarks1. Enter system view system-view —2. Enable the SYN Cookie feature tcp syn-cookie enable RequiredDisabled by default.• When you enable the SYN Cookie feature, it will not function if MD5 authentication is enabled. However, if youthen disable MD5 authentication, the SYN Cookie feature will be enabled automatically.• With the SYN Cookie feature enabled, only the MSS, instead of the window’s zoom factor and timestamp, isnegotiated during TCP connection establishment.Enabling protection against Naptha attacksNaptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using thesix TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, andSYN_RECEIVED), and SYN Flood attacks by using only the SYN_RECEIVED state.Naptha attackers control a huge amount of hosts to establish TCP connections with the server. They keepthese connections in the same state (any of the six), and request for no data, so as to exhaust the memoryresource of the server. As a result, the server cannot process normal services.Protection against Naptha attacks reduces the risk of such attacks by accelerating the aging of TCPconnections in a state. After the feature is enabled, the device periodically checks the number of TCPconnections in each state. If it detects that the number of TCP connections in a state exceeds the maximumnumber, it accelerates the aging of TCP connections in this state.Follow these steps to enable the protection against Naptha attack:To do... Use the command... Remarks1. Enter system view system-view —2. Enable the protectionagainst Naptha attack tcp anti-naptha enable RequiredDisabled by default.3. Configure the maximumof TCP connections in astatetcp state { closing |established | fin-wait-1 | fin-wait-2 | last-ack | syn-received } connection-numbernumberOptional5 by default.If the maximum number of TCPconnections in a state is 0, the aging ofTCP connections in this state will not beaccelerated.4. Configure the TCP statecheck interval tcp timer check-state timer-value Optional30 seconds by default.