SYN Cookie is a stateless SYN proxy mechanism you can use in conjunction with the defenses against a SYN flood attack.
|
Before You Begin |
|---|
|
For background information, read Understanding SYN Cookie Protection. |
To enable SYN Cookie, set the SYN flood attack threshold using the JUNOS CLI configuration editor:
- user@host# set security screen external-syn-flood tcp
syn-flood timeout 20
- user@host# set security zones security-zone external
screen external-syn-flood
- user@host# set security flow syn-flood-protection-mode
syn-cookie
 |
Note: The SYN Cookie feature can only detect and protect against spoofed SYN-Flood attacks, thus minimizing the negative impact to hosts that are secured by JUNOS software with enhanced services. If an attacker is using a legitimate IP source address, rather than a spoofed IP source, then the SYN-Cookie mechanism does not stop the attack. |
