Understanding SYN Fragment Protection
The IP encapsulates a TCP SYN segment in the IP packet that initiates a TCP connection. Because the purpose of this packet is to initiate a connection and invoke a SYN/ACK segment in response, the SYN segment typically does not contain any data. Because the IP packet is small, there is no legitimate reason for it to be fragmented.
A fragmented SYN packet is anomalous, and, as such, it is suspect. To be cautious, block such unknown elements from entering your protected network. See Figure 69.
Figure 69: SYN Fragments
When you enable the SYN fragment detection screen option, JUNOS Software detects packets when the IP header indicates that the packet has been fragmented and the SYN flag is set in the TCP header. JUNOS Software records the event in the screen counters list for the ingress interface.
Related Topics
- JUNOS Software Feature Support Reference for SRX Series and J Series Devices