SRX

I met an issue in SRX 650 v11.2R2

 

    tcp {
        syn-flood {
            alarm-threshold 1024;
            attack-threshold 200;
            source-threshold 1024;
            destination-threshold 2048;
            queue-size 2000; ## Warning: 'queue-size' is deprecated
            timeout 20;
        }

 

client --------  srx650 --------server

 

in client capture:syn is sent and syn-ack is received and ack is sent

in server capture:only ack is arrived

 

 

[0:06:07] Robert Cao:        send syn
client---------->firewall------www

       send syn-ack
client<----------firewall------www

       send ack
client---------->firewall------www
                                   send ack
client----------firewall-------------->www

 

something is wrong with this

 

my question is:

1:how does syn proxy work in srx

2:when will this syn cookie protection be activated?I saw in some articles,when attack threshold is met,it wll be activated

which attack threshold?

  attack-threshold ?

or any threshold in syn flood pretection?

 

3:how to fix this issue

4:what is the difference between syn proxy and syn cookie protection

 

thanks in advance

1:how does syn proxy work in srx A. JunOS security configuration guide (available in the URL below) has good description of the syn proxy feature. http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/security/software-all/security/jd0e101512.html 2:when will this syn cookie protection be activated?I saw in some articles,when attack threshold is met,it wll be activated which attack threshold? attack-threshold ? or any threshold in syn flood pretection? A. To enable syn-cookie you will need to configure syn-flood-protection-mode to syn-cookie "set security flow syn-flood-protection-mode syn-cookie". If you have not configured this option SRX will activate syn-proxy protection not syn-cookie http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/security/software-all/security/jd0e102393.html Any of the "Attack Threshold", "Source Threshold" or "Destination Threshold" can trigger syn-proxy or syn-cookie protection. 3:how to fix this issue A. Not sure of your issue. 4:what is the difference between syn proxy and syn cookie protection A. Please refer to the JunOS security guide http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/security/software-all/security/jd0e101512.html http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/security/software-all/security/jd0e102393.html

Hi,

 

You may check the Network DoS attackssection of Security Config Guide - for full details

 

http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/security/index.html

 

 

1:how does syn proxy work in srx - (from the security config guide)

 

Junos OS can impose a limit on the number of SYN segments permitted to pass through the firewall per second. You can base the attack threshold on the destination address and port, the destination address only, or the source address only. When the number of SYN segments per second exceeds one of these thresholds, Junos OS starts proxying incoming SYN segments, replying with SYN/ACK segments and storing the incomplete connection requests in a connection queue. The incomplete connection requests remain in the queue until the connection is completed or the request times out.If the proxied connection queue has completely filled up, and Junos OS is rejecting new incoming SYN segments

 

2:when will this syn cookie protection be activated?I saw in some articles,when attack threshold is met,it wll be activated

which attack threshold?

  attack-threshold ?

or any threshold in syn flood pretection? Yes

 

3:how to fix this issue -

 

Have you set the protection mode ?  You must use either syn-proxy or syn-cookie mode (not both )

 

set security flow syn-flood-protection-mode (syn-proxy|syn-cookie)

 

4:what is the difference between syn proxy and syn cookie protection

 

syn-proxy is stateful (creates sessions) where as syn-cookie is stateless. syn-cookie does not use session table to maintain entries for connections(until it finds that they are valid)

hi,thanks for your reply

 

so:

 

1:in the guide,it told us syn cokie protection can be trigged via any threshold in syn flood config

But in your reply ,I need to set it mannuly:

@sjrp01jfw040# set security flow syn-flood-protection-mode ?
Possible completions:
  syn-cookie           Enable SYN cookie protection
  syn-proxy            Enable SYN proxy protection

I am confused by this...

 

2:and if I didn't config this,it will not be enabled,right?but if I config this ,I only can use one of them ,not both

 

wait for your kind reply

 

 

I also want to know how to check the queue when srx begin to proxy 3 way handshakes for server

I know where is the security guide or config

but they are be self-contradictory

1：attack-threshold will cause srx being to do syn proxy

      and I see I also need to manully config this syn-flood-protection-mode 

 

2:syn cookie can be enabled when any of attack threshold is exceeded

 but ,for example: source threshold: srx will drop syn it from same source ip in one single second,where is the proxy?

besides,it seems I also need to config it mannully ,(select one between syn proxy and syn cookie)

 

I want to know what exact happend in this box

not the words printed in the doc,and diagram

 

yes,u can check the diragam serously,u can find the dirgram is wrong(the one which describe syn cookie protection)

there are 2 syn packets from client,it is .......

 

we use lots of srx in datacenters ,and to be honest,I always met issue and most of the time some critical issues can't be fixed in a short time

 

 

hope I can get the answer from here

Hi

 

I also found that the SYN flood protection behavior actually works not exactly

the way it is described in documentation. But first of all, you need to configure a

SCREEN with SYN flood protection AND apply it to the zone. Otherwise, SYN

flood protection is not working for the zone.

 

There are two SYN flood protection methods available: syn-proxy and syn-cookie.

You can only use one of them at a time on one SRX. It SEEMS from the doc

that by default (if you do not configure SYN flood prodection mode), syn-proxy

will work. However, my lab tests that I've done couple of months ago showed

that on 10.4 with SRX-240, syn-cookie is actually used. So it is a good idea to

specify the mode you want to work explicitly.

 

Another interesting question you raise is those source and destination thresholds.

What I found during tests was that:

- For SYN-cookie: after hitting those thresholds, SYN cookie process is triggered

(firewall replies with an ACK for packets that are above the threshold);

- For SYN proxy, the packets that are in excess of source and destination thresholds

are just DROPPED (this is what is written in doc!) - no proxying is performed.

 

If someone can confirm/disprove my findings I will be thankful.

Hi,

 

It is NOT possible to check  either the syn-flood queue status or to modify the queue-size( must be hard coded with some defaults)

 

queue-size 2000; ## Warning: 'queue-size' is deprecated  << as this is not supported in SRX. 

 

and the diagram in the Security config guide - YES, I agree with you , needs to be corrected.