Hi
I also found that the SYN flood protection behavior actually works not exactly
the way it is described in documentation. But first of all, you need to configure a
SCREEN with SYN flood protection AND apply it to the zone. Otherwise, SYN
flood protection is not working for the zone.
There are two SYN flood protection methods available: syn-proxy and syn-cookie.
You can only use one of them at a time on one SRX. It SEEMS from the doc
that by default (if you do not configure SYN flood prodection mode), syn-proxy
will work. However, my lab tests that I've done couple of months ago showed
that on 10.4 with SRX-240, syn-cookie is actually used. So it is a good idea to
specify the mode you want to work explicitly.
Another interesting question you raise is those source and destination thresholds.
What I found during tests was that:
- For SYN-cookie: after hitting those thresholds, SYN cookie process is triggered
(firewall replies with an ACK for packets that are above the threshold);
- For SYN proxy, the packets that are in excess of source and destination thresholds
are just DROPPED (this is what is written in doc!) - no proxying is performed.
If someone can confirm/disprove my findings I will be thankful.