Correct , it does not accept new request but the olders which has session still able to connect. it seems like syn-cookie not working correctly and dropping all packets or it passes the cookie mode and applies hard limits for syn
flow {
syn-flood-protection-mode syn-cookie;
aging {
early-ageout 20;
low-watermark 90;
high-watermark 90;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
xe-1/0/1.0;
xe-1/0/0.0;
}
screen {
ids-option untrust-screen {
icmp {
ip-sweep threshold 1000000;
fragment;
large;
flood threshold 8000;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
spoofing;
source-route-option;
loose-source-route-option;
strict-source-route-option;
unknown-protocol;
block-frag;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 1000000;
syn-ack-ack-proxy threshold 1000;
syn-flood {
alarm-threshold 250;
attack-threshold 625;
source-threshold 25;
timeout 10;
}
land;
winnuke;
tcp-sweep threshold 1000;
}
limit-session {
source-ip-based 200;
}
}
traceoptions {
file screen.log;
flag all;
}
}