SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 32
Registered: ‎06-28-2013
0 Kudos
Accepted Solution

syn-ack-ack and limit session

HI

I would like to know too, if the limit session consider a complete threeway handshake as a session, or only a syn sent by a source?

I would like to understant the relationship between the follow screen options:
- Limit-session:
- syn-ack-ack proxy:

What hapen if i set a limit-session to a threshold equal 100 and a syn-ack-ack to a threshold as 200?

I would like to know too, if the limit session consider a complete threeway handshake as a session, or only a syn sent by a source?

 

João Victor

João Victor
Distinguished Expert
Posts: 1,048
Registered: ‎08-29-2013
0 Kudos

Re: syn-ack-ack and limit session

Hi João,


As per Junos flow processing, SCreen option comes first before any other check, which means the counter for session limit starts as soon as it recives a SYN.

 

So if you set session-limit as 100, the 101th packet will be discarded by SRX-Screen. I hope this answers your questions.

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Contributor
Posts: 32
Registered: ‎06-28-2013
0 Kudos

Re: syn-ack-ack and limit session

Hi Suraj,

Tks for your repply. 

 

I think that i did understood the meaning of these features.

 

But i didn´t understood the relationship between them (syn-ack-ack and limit-session)

 

For example, if i set a limit of session to 100 (with the command "limit session source-ip-based 100"), this can overlap a syn-ack-ack configuration (with the command "tcp syn-ack-ack-proxy threshold 150")?

 

Another question is about the limit session: The "limit session source-ip-based xxx " will consider a session a complete threeway handshake, or the first syn segment sent from a source-address can be considered a "session"?

 

Again, tks for spend your time asking my question. Smiley Happy

I´m studying for JNCIS-SEC and i really would like to learn Screen options perfectly!!! Smiley Happy

 

João Victor

 

 

João Victor
Distinguished Expert
Posts: 1,808
Registered: ‎06-06-2011

Re: syn-ack-ack and limit session

[ Edited ]

The screen options you reference do not overlap, as they are designed to protect against two different types of attacks. Let me start with the  syn-ack-ack proxy.

This is designed to protect a server from having its resources exhausted. Lets say an authentication user initiates a telnet connection to a server protected by the SRX, the user sends a SYN segment to the telnet server. The SRX intercepts(proxy between the user and the server) the SYN segment, creates an entry in its session table, and proxies a SYN-ACK segment to the user. The user then replies with an ACK segment. At this point, the initial three-way handshake is complete. The SRX then sends a login prompt to the user.  A legit user will log in, however the attacker with malicious intent, does not log in, but instead continues initiating SYN-ACK-ACK sessions, the firewall session table can fill up to the point where the device begins rejecting legitimate connection requests. To prevent such an attack, you can enable the SYN-ACK-ACK PROXY Screen option. After the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, the SRX rejects further connection requests from that IP address. By default, the threshold is 512 connections from any single IP address. So a session is never established betweem the user and the server and the SRX holds the connection so only valid sessions can be established.

SYN, SYN-ACK, ACK are three messages transmitted by TCP to negotiate and establish parameters to start a TCP session between two netwoek devices.
Limiting sessions screen option allows the session to established and you then define the maximum number of sessions either from the same source IP address, or to the same destination IP address. Now that the communication is passing through the SRX, it will keep a track of the sessions in the session table and count them based on src/dst address option that you define.
If all the connection attempts originate from the same source IP address e.g Nimda, a source-based session limit would be a great option to protect against this type of attack.
Limit the number of concurrent sessions to the same destination IP address useful for DDoS attacks where the source of the attack can be from multiple source IP addresses e.g. botnets where an attacker in control of hundreds of thousands of compromised computers can launch an attack on a server/router/firewall. The SRX allows only an acceptable number of concurrent connection requests—no matter what the source IP address is.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Contributor
Posts: 32
Registered: ‎06-28-2013
0 Kudos

Re: syn-ack-ack and limit session

Great explanation, 

 

Tks a lot for spend your time helping me to take the JNCIS-SEC.

 

A question; Are you a teacher? If not, you would be.

 

Tks

João Victor

João Victor
Highlighted
Distinguished Expert
Posts: 1,808
Registered: ‎06-06-2011
0 Kudos

Re: syn-ack-ack and limit session

I do a little somethingSmiley Happy
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Distinguished Expert
Posts: 1,808
Registered: ‎06-06-2011
0 Kudos

Re: syn-ack-ack and limit session

Smiley Happy ThanksSmiley Happy

To pass that test you have to go to the Exam topics and look at what are the objectives. Sometimes new ones are which are not directly covered in the training material. 

https://www.juniper.net/us/en/training/certification/resources/jncis-sec/

Also I find that the book Juniper SRX series and the docs on the juniper website to be very helpful.

http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/secur...

http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/security-packet-based-processing-u...

You can check these out to help in preparing. Best of wishes.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Contributor
Posts: 32
Registered: ‎06-28-2013
0 Kudos

Re: syn-ack-ack and limit session

Hi 

 

 

 

 

João Victor