SRX

last person joined: 13 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Screen option SYN-FLOOD.

    Posted 10-19-2016 13:32

    Hi All,

    i'm studying for the JNCIS-SEC and i'm studying the SCREEN options to avoid some attack types.

     

    I understood that the SRX can do the tcp-proxy between a client and a server, right? This is enable by default, or not?

     

    To protect the SRX from the syn-ack-ack attacks we can set a threshold based on source and destintation.

    Ok, this explanation is fine to me.

     

    But after i studied the syn attacks protection, raise a question in my head:

    Since that the SRX do the tcp-proxy role, why i need enable the SYN Flood Protection?

     

    I think unacessary enable the syn flood protection, because the SRX make the TCP-Proxy role.

    Please, could someone explain the reason to enable the syn flood protection since that the SRX do the TCP-Proxy role?

    Tks,

    João Victor



  • 2.  RE: Screen option SYN-FLOOD.

     
    Posted 10-19-2016 13:58

    Hi João 

     

    The basic reason is to prevent a type of denial of service attack.

     

    An attacker will attempt to create as many connections (sending SYN-ACK-ACK) to a particular resources that either the network equipment session tables or remote servers run out of resources.

     

    SYN Flood protection are things like Source, Destination, Attack, Timeout and Alarm Thresholds, these are all mechanisms to prevent a proxy resources from being overload and maintain protection by a combination of the thresholds you have configured for SYN flood protection.

     

    Sample Config:

     

    [edit security screen]

    ids-option untrust-screen {
        icmp {
            ip-sweep threshold 1000;
            fragment;
            large;
            flood threshold 200;
            ping-death;
        }
        ip {
            bad-option;
            stream-option;
            spoofing;
            source-route-option;
            strict-source-route-option;
            unknown-protocol;
            tear-drop;
        }
        tcp {
            syn-fin;
            tcp-no-flag;
            syn-frag;
            port-scan threshold 1000;
            syn-ack-ack-proxy threshold 500;
            syn-flood {
                alarm-threshold 500;
                attack-threshold 500;
                source-threshold 50;
                destination-threshold 1000;
                timeout 10;
            }
            land;
            winnuke;
            tcp-sweep threshold 1000;
        }
        udp {
            flood threshold 500;
            udp-sweep threshold 1000;
        }
    }

     

    The screen is then applied to the requred security zones that you will accept unkown traffic from

     

    [edit security zones security-zone untrust]
    screen untrust-screen;

     

    Hope that makes sense, and it is very important to enable SYN flood protection if you are going to publish resources on the internet.



  • 3.  RE: Screen option SYN-FLOOD.

    Posted 10-19-2016 14:52

    Hi Dawid,

    THANKS A LOT for take your time answering my question.  Smiley Wink

     

    I understood that the SYN Flood protection is used to protect the NETWORK against DOS attacks and the SYN-ACK-ACK protect the firewall self (and as consequence protect the network against DOS).

     

    So, lets imagine that a syn flood will be initiate, the SRX should intercept the SYN's and will respond the SYN's in behalf of the server, right? So, i can suppose that the syn shouldn't never reach the server due the tcp-proxy-feature, right? So, why i use the syn-flood screen option althought the fact that the syn-ack-ack can be enough?

     

    The TCP-Proxy feature is enabled by default? Or not?

     

    Tks,

    João Victor



  • 4.  RE: Screen option SYN-FLOOD.
    Best Answer

     
    Posted 10-19-2016 18:07

    A SYN flood attack inundates a site with SYN segments containing forged (spoofed) IP source addresses with nonexistent or unreachable addresses. (Juniper Reference)

     

    Another important bit of information, the SRX is not a proxy server per say (hence no feature to enable), it will either proxy and queue or drop SYN segments request but only when the SYN Flood protection kicks in, hence the requirement for SYN Flood protection. Each SYN segment request will result in more sessions in the session table.

     

    Example of Basic Process: The SRX will NAT traffic to a host on the private network and pass on the initial SYN segment to the internal host, the host SYN/ACK segment response will be returned to the internet based client and the SRX will keep a session open waiting for the ACK to return from this internet based client which it returns to the internal host when received. The SRX does not actually respond with SYN/ACK segments during this process itself it only forwards on the requests between client and host.

     

    In a FLOOD The SRX will either start proxying the SYNC/ACK response in an SRX based queue or it will drop the SYN segment packets depending on the configuration of source/destination and ingress port. Proxying will only happen once the SYN Flood protection kicks in until then the SRX is vulnerable to SYN Floods.

     

    If you don't configure SYN Flood protection there is no proxying of packets in a queue or dropping excess packets.



  • 5.  RE: Screen option SYN-FLOOD.

    Posted 10-20-2016 07:35

    HI Dawid,

    you're the man! Smiley Wink

     

    I understood the process!!!

     

    The key to understand it is: SRX will only proxy SYN segments when the SYN Flood protection kicks in.

     

    Thanks a lot for explanation. This concept is clear now!!!

     

    João Victor