SRX

last person joined: 11 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  it seem i suffer from a Dos attack ,how can i confirm that

    Posted 02-10-2015 13:32

    when i use the command on SRX1400


    set security screen ids-option untrust-screen limit-session destination-ip-based 80

    and show 


    show security screen statistics zone Zone-Interco-IGW | match Destination  

     

    Destination session limit              increase 300 in less than 1 s everytime i issuse this comand , how can i confirm whether i suffer i Dos attack or session table attack 



  • 2.  RE: it seem i suffer from a Dos attack ,how can i confirm that

    Posted 02-10-2015 21:06

    as per the standard the session limit for the source and destination is around 4096, so i guess it should be ok

     

    if the source and destination session limit is below  4k



  • 3.  RE: it seem i suffer from a Dos attack ,how can i confirm that

    Posted 02-11-2015 02:14

    it increase to  more than 100K in about 10 hours , is it still ok ?



  • 4.  RE: it seem i suffer from a Dos attack ,how can i confirm that
    Best Answer

     
    Posted 02-11-2015 02:57

    Screens are very tricky to configure, as you really need to understand your traffic patterns in order to set proper thresholds for the various 'attacks'.  Without knowing what you have behind your SRX, it would be impossible for someone to tell you that "100K in 10 hours" is okay, as it may be completely normal for your network.



  • 5.  RE: it seem i suffer from a Dos attack ,how can i confirm that

    Posted 02-11-2015 05:42

    after thinking carefully , i think it is normal , because we use source nat  . about 80 public ip with 30 c class private . thank you for you reply