A few minutes ago we got a 50K pps spoof syn attack
| 185.118.142.254 | 620.41 kbps | 1638 pps | 16.98 mbps | 52975 pps |
And the device reached the maximum sessions and dropped all connection of firewall network 
## Last changed: 2015-08-20 19:23:34 UTC
version 12.1X44-D45.2;
system {
time-zone UTC;
root-authentication {
encrypted-password "$1$OPApHFb4$oB5XfwsEZ4d4Ucxo.G8xM.";
}
name-server {
195.175.39.39;
8.8.8.8;
}
services {
ssh;
telnet;
web-management {
http {
interface [ xe-1/0/0.0 xe-1/0/1.0 ];
}
}
}
syslog {
file messages {
any any;
match RT_Screen;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
chassis {
aggregated-devices {
ethernet {
device-count 2;
}
}
}
interfaces {
ge-0/0/0 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/1 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/2 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/3 {
gigether-options {
802.3ad ae0;
}
}
xe-1/0/0 {
unit 0 {
family inet {
address 37.123.100.122/29;
}
}
}
xe-1/0/1 {
unit 0 {
family inet {
address 10.255.255.1/29;
}
}
}
ae0 {
aggregated-ether-options {
minimum-links 1;
lacp {
active;
periodic fast;
}
}
unit 0 {
family inet {
address 10.32.35.98/30;
}
}
}
}
snmp {
location izmir;
contact "Cahit Eyigunlu";
community SALAY {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 37.123.100.121;
route 185.9.156.0/22 next-hop 10.32.35.97;
route 185.118.140.0/22 next-hop 10.32.35.97;
route 185.90.80.0/22 next-hop 10.32.35.97;
route 178.20.224.0/21 next-hop 10.32.35.97;
route 213.238.170.0/24 next-hop 10.32.35.97;
route 213.238.171.0/24 next-hop 10.32.35.97;
route 213.238.172.0/24 next-hop 10.32.35.97;
route 213.238.173.0/24 next-hop 10.32.35.97;
}
}
security {
alg {
dns disable;
ftp disable;
msrpc disable;
sunrpc disable;
rsh disable;
sql disable;
talk disable;
tftp disable;
pptp disable;
}
flow {
allow-dns-reply;
syn-flood-protection-mode syn-proxy;
aging {
early-ageout 30;
low-watermark 70;
high-watermark 90;
}
tcp-session {
no-syn-check;
tcp-initial-timeout 20;
}
}
screen {
ids-option IcNetwork {
icmp {
ip-sweep threshold 1000;
fragment;
large;
flood threshold 1000;
ping-death;
}
ip {
bad-option;
timestamp-option;
security-option;
stream-option;
loose-source-route-option;
unknown-protocol;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 1000;
syn-ack-ack-proxy threshold 256;
land;
winnuke;
}
}
ids-option Protection {
icmp {
ip-sweep threshold 10000;
fragment;
large;
flood threshold 100;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
source-route-option;
loose-source-route-option;
strict-source-route-option;
unknown-protocol;
block-frag;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 5000;
syn-ack-ack-proxy threshold 10;
syn-flood {
alarm-threshold 512;
attack-threshold 200;
source-threshold 4000;
destination-threshold 4000;
timeout 15;
}
land;
winnuke;
}
udp {
flood threshold 50000;
udp-sweep threshold 5000;
}
limit-session {
source-ip-based 100;
destination-ip-based 20000;
}
}
ids-option untrust-screen {
icmp {
ip-sweep threshold 1000000;
fragment;
large;
flood threshold 5000;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
source-route-option;
loose-source-route-option;
strict-source-route-option;
unknown-protocol;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 1000000;
syn-ack-ack-proxy threshold 10;
syn-flood {
attack-threshold 1500;
source-threshold 200;
destination-threshold 200;
timeout 10;
}
land;
winnuke;
}
udp {
flood threshold 150000;
}
limit-session {
source-ip-based 5000;
}
}
ids-option untrusted-screen {
icmp {
ip-sweep threshold 1000000;
}
tcp {
tcp-sweep threshold 1000000;
}
udp {
udp-sweep threshold 1000000;
}
}
traceoptions {
file screen.log;
flag all;
}
}
policies {
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone trust to-zone trust {
policy icnetwork {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone untrust to-zone untrust {
policy DisNetwork {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
policy-rematch;
}
zones {
security-zone trust {
screen IcNetwork;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ae0.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
xe-1/0/0.0;
xe-1/0/1.0;
}
}
}
}