JUNOS software with enhanced services can impose a limit on the number of SYN segments permitted to pass through the firewall per second. You can base the attack threshold on the destination address and port, the destination address only, or the source address only. When the number of SYN segments per second exceeds one of these thresholds, JUNOS software with enhanced services starts proxying incoming SYN segments, replying with SYN/ACK segments and storing the incomplete connection requests in a connection queue. The incomplete connection requests remain in the queue until the connection is completed or the request times out. In Figure 46, the SYN attack threshold has passed, and JUNOS software with enhanced services has started proxying SYN segments.
Figure 46: Proxying SYN Segments
In Figure 47, the proxied connection queue has completely filled up, and JUNOS software with enhanced services is rejecting new incoming SYN segments. This action shields hosts on the protected network from the bombardment of incomplete three-way handshakes.
Figure 47: Rejecting New SYN Segments
The device starts receiving new SYN packets when the proxy queue drops below the maximum limit.
 |
Note: The procedure of proxying incomplete SYN connections above a set threshold pertains only to traffic permitted by existing policies. Any traffic for which a policy does not exist is automatically dropped. |