Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  SYN flood default settings

    Posted 07-01-2009 03:52

    Hello,

    I have a problem with SYN flood recently and I would like to ask about default settings for SYN flood protection. I have Netscreen 208 with 5.4.0r6.0 soft. I've found in Juniper docs that for Netscreen-200 series max amount for new sessions/second is 11500 but default settings for SYN flood allows 40000 pps per destination

     

    get zone Untrust screen
    Screen function only generate alarm without dropping packet: OFF.
    Teardrop attack protection                          on
    SYN flood protection(200)                           on
            Alarm  Threshold: 1024
            Queue  Size     : 10240
            Timeout Value   : 20
            Source Threshold: 4000
            Destination Threshold: 40000

     

    As I undestand 40000  pps is equal to 40000 new sessions/second. Am I right and is it possible to serve 40k pps when max new session/sec is 11500?

     

    Regards

    apapierz



  • 2.  RE: SYN flood default settings

    Posted 07-05-2009 17:02

    apapierz,

     

    There is no relation b/w pps and sessions/sec..

     

    pps is your rate of sending data

     

    thanks

    Raheel Anwar

     

     

     



  • 3.  RE: SYN flood default settings
    Best Answer

    Posted 07-05-2009 18:48

     

     

    SYN flood protection(200)  is the default setting to block the traffic if a particular source is sending more than 200 SYN-FLood packets per second.  But this setting could be uneffective if the source is sending under 200 SYN-FLood packets per second and firewall will not able to block the traffic. For this kind of condition , you can set the setting for source and destination based limitation for e.g:

                "set zone trust screen limit-session source-ip-based 80"

                "set zone trust screen limit-session dstination-ip-based 80"

    This will only allow to create only not 80 session based on source and destination IP address.

    Please go to the following link on page 30 : http://www.juniper.net/techpubs/software/screenos/screenos6.1.0/ce_v4.pdf for more setail

     

     

    Also check the Flood that the first packet is SYN packet or non SYN packet  , Firewall will not create a session  if the first packet is NON-SYN packet with this command is enable "set flow tcp-syn-check".

     

     

    If the incoming packets is not matching the existing session and session matching is based on IP add of source-destination and Ports of source and destination then Firewall has to create a new session for the incoming packets. So 4000pps will be 4000session/second.

     

    I doubt NS200 would be able to support 11500 syn packet/sec ( session/sec). But it can support the 11500packet /sec if it is matching the existing session.

     

     

    Thanks

    Atif

     

     



  • 4.  RE: SYN flood default settings

    Posted 07-23-2009 23:40

    Thank You,

     

    I have limited sessions on the basis of destination ip address. It looks that everything works fine, firewall drops session when session limi is reached.

     

    Thanks again

    Andrzej



  • 5.  RE: SYN flood default settings

    Posted 07-24-2009 17:55
    If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.