Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] SYN-Flood protection thresholds

0

0

Article ID: KB24295 KB Last Updated: 24 May 2012Version: 1.0
Summary:
This article provides information about the various thresholds of SYN-Flood protection.
Symptoms:
The documentation in C&E guide (Release 6.3.0, Rev. 01), regarding the thresholds, is confusing and partly incorrect. The confusing part is related to the port numbers.

Statements which need clarification:

  • Attack Threshold: The number of SYN segments (that is, TCP segments with the SYN flag being set) to the same destination address and port number per second required to activate the SYN proxying mechanism.

  • Source Threshold: This option allows you to specify the number of SYN segments received per second from a single source IP address, regardless of the destination IP address and port number; before the security device begins to drop connection requests from the source.

Incorrect information:

"Source Threshold: [...] Tracking a SYN flood by source address uses different detection parameters from tracking a SYN flood by destination address and destination port number.

Destination Threshold: This option allows you to specify the number of SYN segments received per second for a single destination IP address before the security device begins dropping connection requests to that destination. If a protected host runs multiple services, you might want to set a threshold based on destination IP address only—regardless of the destination port number.

Tracking a SYN flood by destination address uses different detection parameters from tracking a SYN flood by destination address and destination port number. Consider the following case where the security device has policies permitting FTP requests (port 21) and HTTP requests (port 80) to the same server. If the SYN flood attack threshold is 1000 packets per second (pps) and an attacker sends 999 FTP packets and 999 HTTP packets per second, neither set of packets (where a set is defined as having the same destination address and port number) activates the SYN proxying mechanism.

The basic SYN flood attack mechanism tracks the destination address and port number, and neither set exceeds the attack threshold of 1000 pps. However, if the destination threshold is 1000 pps, the device treats both FTP and HTTP packets with the same destination address as members of a single set and rejects the 1001st packet—FTP or HTTP—to that destination.
"






Cause:
The detection in SYN-flood for the attack threshold is performed on the incoming interface port and not the TCP destination port.
Solution:
Be aware of when SYN-flood protection is triggered. Packets are sent with different dst-port numbers; but the same dst-ip's, which are reaching the FW on the same ingress interface, can trigger the screen to come in effect.

SYN-Flood protection has following thresholds:

  • Attack threshold: This threshold will be triggered based on destination IP + Ingress Interface port (physical or logical port). Assume that the Attack threshold is 20; so, if there are 20 PPS to same destination IP and on same Ingress interface, only then the attack threshold will be triggered. However, if there are 20 PPS to the same destination, but distributed among multiple incoming interfaces, then the attack threshold will not be triggered.

  • Destination Threshold: This threshold will be based only on the Destination IP. Assume that the Destination IP threshold is 20 and there are four interfaces and 5 connections through each interface (ingress) to this destination IP in a sec (in all 20 PPS); it will trigger the destination threshold or it will also be triggered, even if  20 PPS are hitting on just a single ingress interface.

  • Source Threshold: This threshold will be based only on the Source IP. Assume that the Source IP threshold is 20 and there are four interfaces and 5 connections through each interface (ingress) from this Source IP in a sec (in all 20 PPS); it will trigger the Source threshold or it will also be triggered, even if 20 PPS are hitting on just a single ingress interface.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search