Quantcast
Channel: All SRX Services Gateway posts
Viewing all articles
Browse latest Browse all 17645

Re: SRX 3K SYN proxy problem

$
0
0

Hello,

Thanks for posting the config.


SPDNet wrote:

 

A few minutes ago we got a 50K pps spoof syn attack 

185.118.142.254 620.41 kbps1638 pps16.98 mbps52975 pps 

 

 

And the device reached the maximum sessions and dropped all connection of firewall network Smiley Happy

 


 

First of all, You are NOT using SYN FLOOD protection with SYN cookie, You are STILL using SYN proxy.

The below is from Your latest config:

 

 

 flow {

        syn-flood-protection-mode syn-proxy; <=== MUST BE SYN-COOKIE

 

Secondly, SYN-FLOOD thresholds are tracked PER SECOND PER SOURCE HOST/PER INDIVIDUAL ATTACKER IP.

 

       syn-flood {
                    alarm-threshold 512;
                    attack-threshold 200;
                    source-threshold 4000;
                    destination-threshold 4000;
                    timeout 15;
This means, if You have 50Kpps attack coming FROM 1 MILLION UNIQUE ATTACKER IPs, these thresholds are not going to be triggered.

 

You need to do a research on how Your typical attack looks like  - You can use Jflow for that - and devise an appropriate thresholds for Your specific needs.

Thirdly, the above is described in B.Woodberg & R.Cameron 2013 book "Juniper SRX series" - I strongly suggest You get a copy and read it from cover to cover

http://chimera.labs.oreilly.com/books/1234000001633 

This will save You countless hours staring on terminal screen in the middle of the night and posting requests for help on J-Net  

Smiley LOL

HTH

Thx

Alex

 


Viewing all articles
Browse latest Browse all 17645

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>