Hello,
Thanks for posting the config.
SPDNet wrote:
A few minutes ago we got a 50K pps spoof syn attack
185.118.142.254 620.41 kbps 1638 pps 16.98 mbps 52975 pps
And the device reached the maximum sessions and dropped all connection of firewall network
First of all, You are NOT using SYN FLOOD protection with SYN cookie, You are STILL using SYN proxy.
The below is from Your latest config:
flow { syn-flood-protection-mode syn-proxy; <=== MUST BE SYN-COOKIE
Secondly, SYN-FLOOD thresholds are tracked PER SECOND PER SOURCE HOST/PER INDIVIDUAL ATTACKER IP.
syn-flood { alarm-threshold 512; attack-threshold 200; source-threshold 4000; destination-threshold 4000; timeout 15;This means, if You have 50Kpps attack coming FROM 1 MILLION UNIQUE ATTACKER IPs, these thresholds are not going to be triggered.
You need to do a research on how Your typical attack looks like - You can use Jflow for that - and devise an appropriate thresholds for Your specific needs.
Thirdly, the above is described in B.Woodberg & R.Cameron 2013 book "Juniper SRX series" - I strongly suggest You get a copy and read it from cover to cover
http://chimera.labs.oreilly.com/books/1234000001633
This will save You countless hours staring on terminal screen in the middle of the night and posting requests for help on J-Net
HTH
Thx
Alex
