SRX

Hello  ,

We are getting spoofed syn attack from the internet. But the ip address that which gets the attack blocking new connections but the connections that has sessions before is still going on working.(we get an attack to SRX main ip and we should not get in to web site of the srx also.)

We realize sth. strange in logs :

Sep 22 07:34:35   RT_IDS: RT_SCREEN_TCP_DST_IP: SYN flood! destination: 178.20.225.18, zone name: untrust, interface name: xe-1/0/0.0, action: alarm-without-drop
Sep 22 07:34:36   RT_IDS: RT_SCREEN_TCP: SYN flood Src-IP based! source: 16.30.169.251:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop
Sep 22 07:34:36   RT_IDS: RT_SCREEN_TCP: SYN flood Dst-IP based! source: 160.246.126.46:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop
Sep 22 07:34:36   RT_IDS: RT_SCREEN_TCP_DST_IP: SYN flood! destination: 178.20.225.18, zone name: untrust, interface name: xe-1/0/0.0, action: alarm-without-drop
Sep 22 07:34:37   RT_IDS: RT_SCREEN_TCP: SYN flood Dst-IP based! source: 69.193.101.57:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop
Sep 22 07:34:37   RT_IDS: RT_SCREEN_TCP_DST_IP: SYN flood! destination: 178.20.225.18, zone name: untrust, interface name: xe-1/0/0.0, action: alarm-without-drop
Sep 22 07:34:38   RT_IDS: RT_SCREEN_TCP: SYN flood Src-IP based! source: 169.162.141.248:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop
Sep 22 07:34:38   RT_IDS: RT_SCREEN_TCP: SYN flood Dst-IP based! source: 89.82.9.18:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop
Sep 22 07:34:38   RT_IDS: RT_SCREEN_TCP_DST_IP: SYN flood! destination: 178.20.225.18, zone name: untrust, interface name: xe-1/0/0.0, action: alarm-without-drop
Sep 22 07:34:39   RT_IDS: RT_SCREEN_TCP: SYN flood Src-IP based! source: 114.183.168.173:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop
Sep 22 07:34:39   RT_IDS: RT_SCREEN_TCP: SYN flood Dst-IP based! source: 198.222.93.42:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop
Sep 22 07:34:39   RT_IDS: RT_SCREEN_TCP_DST_IP: SYN flood! destination: 178.20.225.18, zone name: untrust, interface name: xe-1/0/0.0, action: alarm-without-drop
Sep 22 07:34:40   RT_IDS: RT_SCREEN_TCP: SYN flood Src-IP based! source: 80.240.54.217:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop
Sep 22 07:34:40   RT_IDS: RT_SCREEN_TCP: SYN flood Dst-IP based! source: 170.63.108.161:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop
Sep 22 07:34:40   RT_IDS: RT_SCREEN_TCP_DST_IP: SYN flood! destination: 178.20.225.18, zone name: untrust, interface name: xe-1/0/0.0, action: alarm-without-drop
Sep 22 07:34:41   RT_IDS: RT_SCREEN_TCP: SYN flood Src-IP based! source: 130.57.247.24:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop
Sep 22 07:34:41   RT_IDS: RT_SCREEN_TCP: SYN flood Dst-IP based! source: 134.130.209.106:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop
Sep 22 07:34:41   RT_IDS: RT_SCREEN_TCP_DST_IP: SYN flood! destination: 178.20.225.18, zone name: untrust, interface name: xe-1/0/0.0, action: alarm-without-drop

I found some document on the net : https://inetzero.com/few-things-about-screens/

Sometimes, such as in the initial deployment phase, it might not be known which particular attacks to look for. In these cases the parameter called “alarm-without-drop” can come very handy. If enabled for an ids-option the screen module will generate only a  syslog message and not execute the drop action when an attack is detected.

How should that be happen ? This is our ids config : - Attack hitting to untrust zone

security {
    log {
        mode event;
    }
    alg {
        ftp disable;
        msrpc disable;
        sunrpc disable;
        rsh disable;
        sip;
        sql disable;
        talk disable;
        tftp disable;
        pptp disable;
        ike-esp-nat {
            enable;
        }
    }
    flow {
        syn-flood-protection-mode syn-cookie;
        tcp-session {
            no-syn-check;
            no-syn-check-in-tunnel;
            no-sequence-check;
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ip-sweep threshold 1000000;
                fragment;
                large;
                flood threshold 8000;
                ping-death;
            }
            ip {
                bad-option;
                record-route-option;
                timestamp-option;
                security-option;
                stream-option;
                source-route-option;
                loose-source-route-option;
                strict-source-route-option;
                unknown-protocol;
                block-frag;
                tear-drop;
            }
            tcp {
                syn-fin;
                fin-no-ack;
                tcp-no-flag;
                syn-frag;
                port-scan threshold 1000000;
                syn-ack-ack-proxy threshold 1000;
                syn-flood {
                    alarm-threshold 250;
                    attack-threshold 625;
                    source-threshold 25;
                    timeout 10;
                }
                land;
                winnuke;
                tcp-sweep threshold 1000;
            }
            limit-session {
                source-ip-based 200;
            }
        }
        traceoptions {
            file screen.log;
            flag all;
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                    }
                }
            }
        }
        from-zone trust to-zone trust {
            policy icnetwork {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                    }
                }
            }
        }
        from-zone untrust to-zone untrust {
            policy DisNetwork {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                xe-4/0/0.0;
                ae1.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                xe-1/0/1.0;
                xe-1/0/0.0;
            }
            application-tracking;
        }
    }
}

Hello,

You should have following configuration to enable 'alarm-without-drop' feature:

set security screen ids-option untrust-screen alarm-without-drop

commit

Regards,

Rushi

Are you sure ? 

That only creates syslog alarms instead of dropping packets like it is in testing mode. But our problem syn cookie checker not working correctly

Hello,

From the initial post it looked like you want to enable the 'alarm-without-drop' function.

Initial post talks about spoofing related attack & the latest mentions about an issue with syn cookie checker?

What is your exact problem? Can you provide data for that?

Regards,

Rushi

Hello again ,

Our firewall ip address xx.xx.xx.xx  

And we are getting a spoofed syn attack to this ip address.

on our firewall SYN-Cookie activated

The ip address as xx.xx.xx.xx is assigned to an interface which has screen option with tcp syn flood protection and screen counters show that it hits to the syn flood protection.

But when an attack starts then new requests does not passing from the SRX.  for ex. if we are connected to the SRX web gui then we are going on using it but we checked from the https://tools.pingdom.com/  with writing our ip to search box , until the attack ends we could not see the page. 

This is not the only example it is same for the web sites to on the ip address that is getting attack. It seems global syn cookie option not triggering by the syn flood attack threshold it directly trigger the source limit / destination limit etc or syn cookie mechanism has a problem with it

Hello,

So if I understand correctly, you have following thing setup is, is that correct?

set security flow syn-flood-protection-mode syn-cookie.

Regards,

Rushi

Correct  , it does not accept new request but the olders which has session still able to connect. it seems like syn-cookie not working correctly and dropping all packets or it passes the cookie mode and applies hard limits for syn 

    flow {
        syn-flood-protection-mode syn-cookie;
        aging {
            early-ageout 20;
            low-watermark 90;
            high-watermark 90;
        }
    }



        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                xe-1/0/1.0;
                xe-1/0/0.0;
            }




    screen {
        ids-option untrust-screen {
            icmp {
                ip-sweep threshold 1000000;
                fragment;
                large;
                flood threshold 8000;
                ping-death;
            }
            ip {
                bad-option;
                record-route-option;
                timestamp-option;
                security-option;
                stream-option;
                spoofing;
                source-route-option;
                loose-source-route-option;
                strict-source-route-option;
                unknown-protocol;
                block-frag;
                tear-drop;
            }
            tcp {
                syn-fin;
                fin-no-ack;
                tcp-no-flag;
                syn-frag;
                port-scan threshold 1000000;
                syn-ack-ack-proxy threshold 1000;
                syn-flood {
                    alarm-threshold 250;
                    attack-threshold 625;
                    source-threshold 25;
                    timeout 10;
                }
                land;
                winnuke;
                tcp-sweep threshold 1000;
            }
            limit-session {
                source-ip-based 200;
            }
        }
        traceoptions {
            file screen.log;
            flag all;
        }
    }

I got a pcap traff. from srx and i realize that it answered %3.7 of the syn traffic with syn ack