Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How Does the Juniper Networks Netscreen Device Initially Check for Valid TCP Traffic?

0

0

Article ID: KB4373 KB Last Updated: 07 Aug 2011Version: 5.0
Summary:
How Does the Juniper Networks Netscreen Device Initially Check for Valid TCP Traffic?
Symptoms:

Solution:

The NetScreen OS checks for valid TCP traffic via the initial inspection of the SYN packet during the TCP three-way handshake. Based on the SYN packet received, the Screen OS parameters for firewall settings and for packet flow during the stateful inspection process will determine if the initiated TCP traffic is an attack or valid TCP traffic. Basically, this is to prevent a high number of SYN packets (DOS) that try to create sessions through the firewall by dropping them if either one of these thresholds are met. Also, another way we can control session creation via SYN packet inspection is using the following CLI command: set flow tcp-syn-check. This command checks the TCP SYN bit before creating a session through the firewall.

For example, for the firewall settings, when syn flood protection is enabled, it is a form of SYN check. It is used to prevent DOS attacks (SYN attacks) on customer network environments that the firewall is protecting.

Default firewall settings for syn-attack or syn-flood protection are as follows:

SYN Flood Protection (200): on
Alarm Threshold: 1024
Queue Size: 1024
Timeout Value: 20
Source Threshold: 512
Destination Threshold: 1024
Drop unknown MAC (xparent mode only): off

Basically, this is to prevent a high number of SYN packets (DOS) that try to create sessions through the firewall by dropping them if either one of these thresholds are met.

Also, another way we can control session creation via SYN packet inspection is using the following CLI command:

set flow tcp-syn-check

 This command checks the TCP SYN bit before creating a session through the firewall.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search