SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  syn-ack-ack and limit session

    Posted 03-01-2017 18:50

    HI

    I would like to know too, if the limit session consider a complete threeway handshake as a session, or only a syn sent by a source?

    I would like to understant the relationship between the follow screen options:
    - Limit-session:
    - syn-ack-ack proxy:

    What hapen if i set a limit-session to a threshold equal 100 and a syn-ack-ack to a threshold as 200?

    I would like to know too, if the limit session consider a complete threeway handshake as a session, or only a syn sent by a source?

     

    João Victor



  • 2.  RE: syn-ack-ack and limit session

     
    Posted 03-01-2017 23:54

    Hi João,


    As per Junos flow processing, SCreen option comes first before any other check, which means the counter for session limit starts as soon as it recives a SYN.

     

    So if you set session-limit as 100, the 101th packet will be discarded by SRX-Screen. I hope this answers your questions.



  • 3.  RE: syn-ack-ack and limit session

    Posted 03-02-2017 17:12

    Hi Suraj,

    Tks for your repply. 

     

    I think that i did understood the meaning of these features.

     

    But i didn´t understood the relationship between them (syn-ack-ack and limit-session)

     

    For example, if i set a limit of session to 100 (with the command "limit session source-ip-based 100"), this can overlap a syn-ack-ack configuration (with the command "tcp syn-ack-ack-proxy threshold 150")?

     

    Another question is about the limit session: The "limit session source-ip-based xxx " will consider a session a complete threeway handshake, or the first syn segment sent from a source-address can be considered a "session"?

     

    Again, tks for spend your time asking my question. 🙂

    I´m studying for JNCIS-SEC and i really would like to learn Screen options perfectly!!! 🙂

     

    João Victor

     

     



  • 4.  RE: syn-ack-ack and limit session

    Posted 03-07-2017 19:17
    I do a little something:)


  • 5.  RE: syn-ack-ack and limit session
    Best Answer

    Posted 03-03-2017 01:50

    The screen options you reference do not overlap, as they are designed to protect against two different types of attacks. Let me start with the  syn-ack-ack proxy.

    This is designed to protect a server from having its resources exhausted. Lets say an authentication user initiates a telnet connection to a server protected by the SRX, the user sends a SYN segment to the telnet server. The SRX intercepts(proxy between the user and the server) the SYN segment, creates an entry in its session table, and proxies a SYN-ACK segment to the user. The user then replies with an ACK segment. At this point, the initial three-way handshake is complete. The SRX then sends a login prompt to the user.  A legit user will log in, however the attacker with malicious intent, does not log in, but instead continues initiating SYN-ACK-ACK sessions, the firewall session table can fill up to the point where the device begins rejecting legitimate connection requests. To prevent such an attack, you can enable the SYN-ACK-ACK PROXY Screen option. After the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, the SRX rejects further connection requests from that IP address. By default, the threshold is 512 connections from any single IP address. So a session is never established betweem the user and the server and the SRX holds the connection so only valid sessions can be established.

    SYN, SYN-ACK, ACK are three messages transmitted by TCP to negotiate and establish parameters to start a TCP session between two netwoek devices.
    Limiting sessions screen option allows the session to established and you then define the maximum number of sessions either from the same source IP address, or to the same destination IP address. Now that the communication is passing through the SRX, it will keep a track of the sessions in the session table and count them based on src/dst address option that you define.
    If all the connection attempts originate from the same source IP address e.g Nimda, a source-based session limit would be a great option to protect against this type of attack.
    Limit the number of concurrent sessions to the same destination IP address useful for DDoS attacks where the source of the attack can be from multiple source IP addresses e.g. botnets where an attacker in control of hundreds of thousands of compromised computers can launch an attack on a server/router/firewall. The SRX allows only an acceptable number of concurrent connection requests—no matter what the source IP address is.



  • 6.  RE: syn-ack-ack and limit session

    Posted 03-07-2017 17:30

    Great explanation, 

     

    Tks a lot for spend your time helping me to take the JNCIS-SEC.

     

    A question; Are you a teacher? If not, you would be.

     

    Tks

    João Victor



  • 7.  RE: syn-ack-ack and limit session

    Posted 03-07-2017 19:30

    🙂 Thanks:)

    To pass that test you have to go to the Exam topics and look at what are the objectives. Sometimes new ones are which are not directly covered in the training material. 

    https://www.juniper.net/us/en/training/certification/resources/jncis-sec/

    Also I find that the book Juniper SRX series and the docs on the juniper website to be very helpful.

    http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-processing-flow-based.html#overview

    http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/security-packet-based-processing-understanding.html

    You can check these out to help in preparing. Best of wishes.



  • 8.  RE: syn-ack-ack and limit session

    Posted 03-08-2017 18:42

    Hi