Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Understanding SYN-Flood debugs (debug proxy syn-flood)

0

0

Article ID: KB21813 KB Last Updated: 19 Jun 2019Version: 2.0
Summary:

This article provides information about SYN-Flood debugs (debug proxy syn-flood).

Symptoms:

Environment: SYN-Flood protection.

Solution:

debug proxy syn-flood can be used to understand the SYN-Flood proxy protection.

In the output below, the SYN-Flood threshold is set to 20.

Note: The following output is when proxy is not triggered.

TCP Syn-cookie vector: get TCP packet from interface:ethernet4/2
TCP Proxy: syn check - syn_received: 10.10.10.200/41397 -> 192.168.1.100/80
TCP Proxy: syn check - syn_received: get new entry
increment syn count[ifnum 524352]: get_indx_by_dstip can't find entry in syn_count tbl
syn threshold count 1
attack counter 1
connection counter 0
get_indx_by_dstip FIND entry in syn_count tbl
find syn flag: 1
get_indx_by_dstip FIND entry in syn_count tbl
TCP Proxy: syn flood threshold not reach, let it go
<-- threshold not hit

Note: The following output is when proxy is triggered.

TCP Syn-cookie vector: get TCP packet from interface:ethernet4/2
TCP Proxy: syn check - syn_received: 10.10.10.200/41416 -> 192.168.1.100/80
increment syn count[ifnum 524352]: get_indx_by_dstip FIND entry in syn_count tbl
syn threshold count 20
attack counter 20
connection counter 0
get_indx_by_dstip FIND entry in syn_count tbl
find syn flag: 1
get_indx_by_dstip FIND entry in syn_count tbl
TCP Proxy: syn check - syn_received: syn attack threshold reached <-- threshold hit.
get_indx_by_dstip FIND entry in syn_count tbl
TCP Proxy: natp->natflag: 00000008 TCP Proxy: syn_received: 10.10.10.200/41416 -> 192.168.1.100/80
get_indx_by_dstip FIND entry in syn_count tbl
find syn flag: 1
TCP Proxy: syn flood threshold reach flag set
TCP Proxy: syn_received: half open connection to 192.168.1.100 = 1
TCP Proxy: syn_received: send syn ack 192.168.1.100 -> 10.10.10.200 <-- proxied SYN/ACK being sent to the client
tcp mss option: 020405b4
build ip from tcp: size 0
TCP Proxy: natp->natflag: 00000008 TCP Proxy: ack_from_cli: ack received 10.10.10.200/41416 -> 192.168.1.100/80 <-- client replies with ACK to complete 3-way handshake.
## 2011-08-15 22:08:33 : AUTHP:[as_id -1, srcip 10.10.10.200, vid 0, i/f 524352
## 2011-08-15 22:08:33 : : zone:1->2, ugx_name , ugx 0] NOT FOUND
TCP Proxy: ack_from_cli: convert ack to syn, send 192.168.1.1 -> 192.168.1.100 <-- Firewall now opens a connection to the server.
TCP Proxy: link_syn_session : link to syn sent list 10.10.10.200/41416 -> 192.168.1.100/80
TCP Proxy: xlate_packet_2_syn: 192.168.1.100 -> 10.10.10.200
TCP Proxy: natp->natflag: 0000000c TCP Proxy: ack_from_cli: ack received 10.10.10.200/41416 -> 192.168.1.100/80
TCP Proxy: ack_from_cli: auth bit cleared
build ip from tcp: size 0
syn_sent_check: Send SYN to server, pak->out_tunnel 0x0
TCP Proxy: natp->natflag: 0000000c TCP Proxy: syn_ack_received: 192.168.1.100 -> 192.168.1.1 rceived from server
TCP Proxy: syn_ack_received: send ack 192.168.1.100 -> 10.10.10.200
build ip from tcp: size 0
TCP Proxy: syn_ack_received: send ack to server 192.168.1.1 -> 192.168.1.100
build ip from tcp: size 0
## 2011-08-15 22:08:37 : syn_ack_received: clearing natp 0x376d30e0, HALF_OPEN, SYN_SENT, NAT_AUTH
Modification History:

2019-06-19: Article reviewed for accuracy. No changes made. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search