Example: Enabling SYN Flood Protection for Webservers in the DMZ (CLI)
The following example shows you how to protect four webservers in the DMZ zone from SYN flood attacks originating in the external zone by enabling the SYN flood protection screen option for the external zone.
 | Note: We recommend that you augment the SYN flood protection that JUNOS Software provides with device-level SYN flood protection on each of the webservers. In this example, the webservers are running UNIX, which also provides some SYN flood defenses, such as adjusting the length of the connection request queue and changing the timeout period for incomplete connection requests. |
Figure 75: Device-Level SYN Flood Protection
To configure the SYN flood protection parameters with appropriate values for your network, you must first establish a baseline of typical traffic flows. For one week, you run a sniffer on ethernet3—the interface bound to zone_external—to monitor the number of new TCP connection requests arriving every second for the four webservers in the DMZ zone. Your analysis of the data accumulated from one week of monitoring produces the following statistics:
- Average number of new connection requests per server: 250 per second
- Average peak number of new connection requests per server:
500 per second
Note: A sniffer is a network-analyzing device that captures packets on the network segment to which you attach it. Most sniffers allow you to define filters to collect only the type of traffic that interests you. Later, you can view and evaluate the accumulated information. In this example, you want the sniffer to collect all TCP packets with the SYN flag set arriving at ethernet3 and destined for one of the four webservers in the DMZ. You might want to continue running the sniffer at regular intervals to see if there are traffic patterns based on the time of day, days of the week, the time of month, or the season of the year. For example, in some organizations, traffic might increase dramatically during a critical event. Significant changes probably warrant adjusting the various thresholds.
Based on this information, you set the following SYN flood protection parameters for zone_external as shown in Table 68.
Table 68: SYN Flood Protection Parameters
Parameter | Value | Reason for Each Value |
|---|---|---|
Attack Threshold | 625 packets per second (pps) | This is 25% higher than the average peak number of new connection requests per second per server, which is unusual for this network environment. When the number of SYN packets per second for any one of the four webservers exceeds this number, the device begins proxying new connection requests to that server. (In other words, beginning with the 626th SYN packet to the same destination address and port number in one second, the device begins proxying connection requests to that address and port number.) |
Alarm Threshold | 250 pps | When the device proxies 251 new connection requests in one second, it makes an alarm entry in the event log. By setting the alarm threshold somewhat higher than the attack threshold, you can avoid alarm entries for traffic spikes that only slightly exceed the attack threshold. |
Source Threshold | 25 pps | When you set a source threshold, the device tracks the source IP address of SYN packets, regardless of the destination address and port number. (Note that this source-based tracking is separate from the tracking of SYN packets based on destination address and destination port number that constitutes the basic SYN flood protection mechanism.) In the one week of monitoring activity, you observed that no more than 1/25 of new connection requests for all servers came from any one source within a one-second interval. Therefore, connection requests exceeding this threshold are unusual and provide sufficient cause for the device to execute its proxying mechanism. (25 pps is 1/25 of the attack threshold, which is 625 pps.) If the device tracks 25 SYN packets from the same source IP address, beginning with the 26th packet, it rejects all further SYN packets from that source for the remainder of that second and the next second as well. |
Destination Threshold | 0 pps | When you set a destination threshold, the device runs a separate tracking of only the destination IP address, regardless of the destination port number. Because the four webservers only receive HTTP traffic (destination port 80)—no traffic to any other destination port number reaches them—setting a separate destination threshold offers no additional advantage. |
Timeout | 20 seconds | The default value of 20 seconds is a reasonable length of time to hold incomplete connection requests. |
Attack Threshold | 625 packets per second (pps) | This is 25% higher than the average peak number of new connection requests per second per server, which is unusual for this network environment. When the number of SYN packets per second for any one of the four webservers exceeds this number, the device begins proxying new connection requests to that server. (In other words, beginning with the 626th SYN packet to the same destination address and port number in one second, the device begins proxying connection requests to that address and port number.) |
To configure SYN flood protection parameters:
- Set interfaces;user@host# set interfaces ge-0/0/0 unit 0 family inet address 1.2.2.1/24user@host# set interfaces fe-1/0/0 unit 0 family inet address 1.1.1.1/24user@host# set security zones security-zone zone_dmz interfaces ge-0/0/0.0user@host# set security zones security-zone zone_external interfaces fe-1/0/0.0
- Define addresses:user@host# set security zones security-zone zone_dmz address-book address ws1 1.2.2.10/32user@host# set security zones security-zone zone_dmz address-book address ws2 1.2.2.20/32user@host# set security zones security-zone zone_dmz address-book address ws3 1.2.2.30/32user@host# set security zones security-zone zone_dmz address-book address ws4 1.2.2.40/32user@host# set security zones security-zone zone_dmz address-book address-set web_servers address ws1user@host# set security zones security-zone zone_dmz address-book address-set web_servers address ws2user@host# set security zones security-zone zone_dmz address-book address-set web_servers address ws3user@host# set security zones security-zone zone_dmz address-book address-set web_servers address ws4
- Configure the policy:user@host# set security policies from-zone zone_external to-zone zone_dmz policy id_1 match source-address anyuser@host# set security policies from-zone zone_external to-zone zone_dmz policy id_1 match destination-address web_serversuser@host# set security policies from-zone zone_external to-zone zone_dmz policy id_1 match application junos-httpuser@host# set security policies from-zone zone_external to-zone zone_dmz policy id_1 then permit
- Configure screen options:user@host# set security screen ids-option zone_external-syn-flood tcp syn-flood alarm-threshold 250user@host# set security screen ids-option zone_external-syn-flood tcp syn-flood attack-threshold 625user@host# set security screen ids-option zone_external-syn-flood tcp syn-flood source-threshold 25user@host# set security screen ids-option zone_external-syn-flood tcp syn-flood timeout 20user@host# set security zones security-zone zone_external screen zone_external-syn-flood
Related Topics
- JUNOS Software Feature Support Reference for SRX Series and J Series Devices