Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] What happens to TCP Options Field when device proxies the connection due to SYN proxy getting triggered in SYN flood protection?

0

0

Article ID: KB28547 KB Last Updated: 21 Jul 2016Version: 2.0
Summary:

This article explains how ScreenOS firewalls handle TCP options after SYN flood protection triggers the SYN proxy.

Symptoms:

What happens to the TCP Options field when device proxies the connection due to SYN proxy getting triggered in SYN flood protection?

Solution:

With SYN Proxy enabled, the firewall will behave as it does when the SYN flood protection is triggered.

  1. Once the threshold is reached, firewall will not forward the SYN packet to the actual destination, but firewall will respond with SYN/ACK on behalf of the actual destination.

  2. Firewall will wait for three-way handshake to complete between the source and itself. Then firewall will initiate a new connection to the actual destination by initiating a SYN packet to complete the three-way handshake between firewall and the actual destination. (See KB21780 for more information.)

In this process, if there are any TCP options set in the initial SYN packet sent by the actual source, the values will not be part of the new SYN initiated by the firewall apart from TCP-MSS option. In other words, the TCP options will get stripped.

For MSS, the firewall preserves the MSS option. However, if the set flow all-tcp-mss <value> command is configured, then the firewall re-writes the MSS value as configured when the traffic is processed by the AV, DI or ALG.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search