Understanding TCP SYN Checking
By default, JUNOS Software checks for SYN flags in the first packet of a session and rejects any TCP segments with non-SYN flags attempting to initiate a session. You can leave this packet flow as is or change it so that JUNOS Software does not enforce SYN flag checking before creating a session. Figure 61 illustrates packet flow sequences both when SYN flag checking is enabled and when it is disabled.
Figure 61: SYN Flag Checking
When JUNOS Software with SYN flag checking enabled receives a non-SYN TCP segment that does not belong to an existing session, it drops the packet and sends the source host to TCP RST—unless the code bit of the initial non-SYN TCP packet is also RST. In that case, JUNOS Software simply drops the packet.
Not checking for the SYN flag in the first packets offers the following advantages:
- NSRP with Asymmetric Routing—In an active/active NSRP configuration in a dynamic routing environment, a host might send the initial TCP segment with the SYN flag set to one device (Device-A), but the SYN/ACK might be routed to the other device in the cluster (Device-B). If this asymmetric routing occurs after Device-A has synchronized its session with Device-B, all is well. On the other hand, if the SYN/ACK response reaches Device-B before Device-A synchronizes the session and SYN checking is enabled, Device-B rejects the SYN/ACK, and the session cannot be established. With SYN checking disabled, Device-B accepts the SYN/ACK response—even though there is no existing session to which it belongs—and creates a new session table entry for it.
- Uninterrupted Sessions—If you reset the device or
even change a component in the core section of a policy and SYN checking
is enabled, all existing sessions or those sessions to which the policy
change applies are disrupted and must be restarted. Disabling SYN
checking avoids such disruptions to network traffic flows.
Note: A solution to this scenario is to install the device with SYN checking disabled initially. Then, after a few hours—when established sessions are running through the device—enable SYN checking. The core section in a policy contains the following main components: source and destination zones, source and destination addresses, one or more services, and an action.
However, the previous advantages exact the following security sacrifices:
- Reconnaissance Holes—When an initial TCP segment
with a non-SYN flag—such as ACK, URG, RST, FIN—arrives
at a closed port, many operating systems (Windows, for example) respond
with a TCP segment that has the RST flag set. If the port is open,
then the recipient does not generate any response.
By analyzing these responses or lack thereof, an intelligence gatherer can perform reconnaissance on the protected network and also on the JUNOS Software policy set. If a TCP segment is sent with a non-SYN flag set and the policy permits it through, the destination host receiving such a segment might drop it and respond with a TCP segment that has the RST flag set. Such a response informs the perpetrator of the presence of an active host at a specific address and that the targeted port number is closed. The intelligence gatherer also learns that the firewall policy permits access to that port number on that host.
By enabling SYN flag checking, JUNOS Software drops TCP segments without a SYN flag if they do not belong to an existing session. It does not return a TCP RST segment. Consequently, the scanner gets no replies regardless of the policy set or whether the port is open or closed on the targeted host.
- Session Table Floods—If SYN checking is disabled,
an attacker can bypass the JUNOS Software SYN flood protection feature
by flooding a protected network with a barrage of TCP segments that
have non-SYN flags set. Although the targeted hosts drop the packets—and
possibly send TCP RST segments in reply—such a flood can fill
up the session table of the Juniper Networks device. When the session
table is full, the device cannot process new sessions for legitimate
traffic.
By enabling SYN checking and SYN flood protection, you can thwart this kind of attack. Checking that the SYN flag is set on the initial packet in a session forces all new sessions to begin with a TCP segment that has the SYN flag set. SYN flood protection then limits the number of TCP SYN segments per second so that the session table does not become overwhelmed.
If you do not need SYN checking disabled, Juniper Networks strongly recommends that it be enabled (its default state for an initial installation of JUNOS Software). You can enable it with the set flow tcp-syn-check command. With SYN checking enabled, the device rejects TCP segments with non-SYN flags set unless they belong to an established session.
Related Topics
- JUNOS Software Feature Support Reference for SRX Series and J Series Devices