Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Syslog message: 'alarm-without-drop' for SYN flood occurs when no action is set

0

0

Article ID: KB31754 KB Last Updated: 01 Jun 2017Version: 1.0
Summary:

According to Juniper documentation, alarm-without-drop action must be set manually. This article explains why you may see the action in the message show as 'alarm-without-drop' even if no action was set.

Symptoms:

For syn-flood in screen, the action in the message is shown as 'alarm-without-drop' even when no action was set.

set security screen ids-option screening tcp syn-flood alarm-threshold 4
set security screen ids-option screening tcp syn-flood attack-threshold 2

May  8 07:34:44  SRX-650-1 RT_IDS: RT_SCREEN_TCP_DST_IP: SYN flood! destination: 1.1.1.1, zone name: test, interface name: ge-0/0/3.0, action: alarm-without-drop

Cause:

SRX is using the synchronization cookie or proxy to handle TCP SYN request. The synchronization cookie or proxy is working as a server for the client and is working as a client for the server.

The following excerpt was taken from the Juniper document, Understanding SYN Cookie Protection:

The cookie or proxy "replies to each incoming SYN segment with a SYN/ACK containing an encrypted cookie as its initial sequence number (ISN). The cookie is an MD5 hash of the original source address and port number, destination address and port number, and ISN from the original SYN packet. After sending the cookie, Junos OS drops the original SYN packet and deletes the calculated cookie from memory. If there is no response to the packet containing the cookie, the attack is noted as an active SYN attack and is effectively stopped.

If the initiating host responds with a TCP packet containing the cookie +1 in the TCP ACK field, Junos OS extracts the cookie, subtracts 1 from the value, and recomputes the cookie to validate that it is a legitimate ACK. If it is legitimate, Junos OS starts the TCP proxy process by setting up a session and sending a SYN to the server containing the source information from the original SYN. When Junos OS receives a SYN/ACK from the server, it sends ACKs to the server and to the initiation host. At this point the connection is established and the host and server are able to communicate directly."
Solution:

This behavior is by design. The synchronization cookie or proxy never drops packets. Therefore, the alarm-without-drop (not drop) action is shown in the system log.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search