We tryed an spoof syn attack with an easy script check results :
root> show security flow session destination-port 81 Flow Sessions on FPC7 PIC0: Session ID: 140163192, Policy name: default-permit/5, Timeout: 12, Valid In: 185.123.101.94/63649 --> 185.9.157.15/81;tcp, If: xe-1/0/0.0, Pkts: 1, Bytes: 48 Out: 185.9.157.15/81 --> 185.123.101.94/63649;tcp, If: ae0.0, Pkts: 0, Bytes: 0 Session ID: 140331147, Policy name: default-permit/5, Timeout: 4, Valid In: 185.123.100.93/28889 --> 185.9.157.15/81;tcp, If: xe-1/0/0.0, Pkts: 1, Bytes: 48 Out: 185.9.157.15/81 --> 185.123.100.93/28889;tcp, If: ae0.0, Pkts: 0, Bytes: 0 Session ID: 140333747, Policy name: default-permit/5, Timeout: 18, Valid In: 185.12.109.123/26453 --> 185.9.157.15/81;tcp, If: xe-1/0/0.0, Pkts: 1, Bytes: 48 Out: 185.9.157.15/81 --> 185.12.109.123/26453;tcp, If: ae0.0, Pkts: 0, Bytes: 0 Session ID: 140404142, Policy name: default-permit/5, Timeout: 4, Valid In: 185.115.40.6/58032 --> 185.9.157.15/81;tcp, If: xe-1/0/0.0, Pkts: 1, Bytes: 48 Out: 185.9.157.15/81 --> 185.115.40.6/58032;tcp, If: ae0.0, Pkts: 0, Bytes: 0 Total sessions: 4 Flow Sessions on FPC11 PIC0: Session ID: 220520451, Policy name: default-permit/5, Timeout: 14, Valid In: 185.123.101.87/42532 --> 185.9.157.15/81;tcp, If: xe-1/0/0.0, Pkts: 1, Bytes: 48 Out: 185.9.157.15/81 --> 185.123.101.87/42532;tcp, If: ae0.0, Pkts: 0, Bytes: 0 Session ID: 220538024, Policy name: default-permit/5, Timeout: 4, Valid In: 195.244.35.0/59052 --> 185.9.157.15/81;tcp, If: xe-1/0/0.0, Pkts: 1, Bytes: 48 Out: 185.9.157.15/81 --> 195.244.35.0/59052;tcp, If: ae0.0, Pkts: 0, Bytes: 0 Session ID: 220538037, Policy name: default-permit/5, Timeout: 4, Valid In: 195.244.40.23/22975 --> 185.9.157.15/81;tcp, If: xe-1/0/0.0, Pkts: 1, Bytes: 48 Out: 185.9.157.15/81 --> 195.244.40.23/22975;tcp, If: ae0.0, Pkts: 0, Bytes: 0 Session ID: 220792986, Policy name: default-permit/5, Timeout: 6, Valid In: 185.123.101.40/31072 --> 185.9.157.15/81;tcp, If: xe-1/0/0.0, Pkts: 1, Bytes: 48 Out: 185.9.157.15/81 --> 185.123.101.40/31072;tcp, If: ae0.0, Pkts: 0, Bytes: 0 Session ID: 220837418, Policy name: default-permit/5, Timeout: 8, Valid In: 185.77.42.46/20490 --> 185.9.157.15/81;tcp, If: xe-1/0/0.0, Pkts: 1, Bytes: 48 Out: 185.9.157.15/81 --> 185.77.42.46/20490;tcp, If: ae0.0, Pkts: 0, Bytes: 0
Config : (syncookie enabled)
## Last changed: 2015-08-22 17:58:02 UTC
version 12.1X44-D45.2;
system {
time-zone UTC;
root-authentication {
encrypted-password "$1$OPApHFb4$oB5XfwsEZ4d4Ucxo.G8xM.";
}
name-server {
195.175.39.39;
8.8.8.8;
}
services {
ssh;
telnet;
web-management {
http {
interface [ xe-1/0/0.0 xe-1/0/1.0 ];
}
}
}
syslog {
file messages {
any any;
match RT_Screen;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
chassis {
aggregated-devices {
ethernet {
device-count 2;
}
}
}
interfaces {
ge-0/0/0 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/1 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/2 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/3 {
gigether-options {
802.3ad ae0;
}
}
xe-1/0/0 {
unit 0 {
family inet {
address 37.123.100.122/29;
}
}
}
xe-1/0/1 {
unit 0 {
family inet {
address 10.255.255.1/29;
}
}
}
ae0 {
aggregated-ether-options {
minimum-links 1;
lacp {
active;
periodic fast;
}
}
unit 0 {
family inet {
address 10.32.35.98/30;
}
}
}
}
snmp {
location izmir;
contact "Cahit Eyigunlu";
community SALAY {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 37.123.100.121;
route 185.9.156.0/22 next-hop 10.32.35.97;
route 185.118.140.0/22 next-hop 10.32.35.97;
route 185.90.80.0/22 next-hop 10.32.35.97;
route 178.20.224.0/21 next-hop 10.32.35.97;
route 213.238.170.0/24 next-hop 10.32.35.97;
route 213.238.171.0/24 next-hop 10.32.35.97;
route 213.238.172.0/24 next-hop 10.32.35.97;
route 213.238.173.0/24 next-hop 10.32.35.97;
}
}
security {
alg {
dns disable;
ftp disable;
msrpc disable;
sunrpc disable;
rsh disable;
sql disable;
talk disable;
tftp disable;
pptp disable;
}
flow {
allow-dns-reply;
syn-flood-protection-mode syn-cookie;
aging {
early-ageout 30;
low-watermark 70;
high-watermark 90;
}
tcp-session {
no-syn-check;
tcp-initial-timeout 20;
}
}
screen {
ids-option IcNetwork {
icmp {
ip-sweep threshold 1000;
fragment;
large;
flood threshold 1000;
ping-death;
}
ip {
bad-option;
timestamp-option;
security-option;
stream-option;
loose-source-route-option;
unknown-protocol;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 1000;
syn-ack-ack-proxy threshold 256;
land;
winnuke;
}
}
ids-option Protection {
icmp {
ip-sweep threshold 10000;
fragment;
large;
flood threshold 100;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
source-route-option;
loose-source-route-option;
strict-source-route-option;
unknown-protocol;
block-frag;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 5000;
syn-ack-ack-proxy threshold 10;
syn-flood {
alarm-threshold 512;
attack-threshold 200;
source-threshold 4000;
destination-threshold 4000;
timeout 15;
}
land;
winnuke;
}
udp {
flood threshold 50000;
udp-sweep threshold 5000;
}
limit-session {
source-ip-based 100;
destination-ip-based 20000;
}
}
ids-option untrust-screen {
icmp {
ip-sweep threshold 1000000;
fragment;
large;
flood threshold 5000;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
spoofing;
source-route-option;
loose-source-route-option;
strict-source-route-option;
unknown-protocol;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 1000000;
syn-ack-ack-proxy threshold 10;
syn-flood {
attack-threshold 1500;
source-threshold 200;
destination-threshold 200;
timeout 10;
}
land;
winnuke;
}
udp {
flood threshold 150000;
}
limit-session {
source-ip-based 5000;
}
}
ids-option untrusted-screen {
icmp {
ip-sweep threshold 1000000;
}
tcp {
tcp-sweep threshold 1000000;
}
udp {
udp-sweep threshold 1000000;
}
}
traceoptions {
file screen.log;
flag all;
}
}
policies {
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone trust to-zone trust {
policy icnetwork {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone untrust to-zone untrust {
policy DisNetwork {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
policy-rematch;
}
zones {
security-zone trust {
screen IcNetwork;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ae0.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
xe-1/0/0.0;
xe-1/0/1.0;
}
}
}
}