In addition to the SYN, UDP, and ICMP flood detection and prevention SCREEN options, setting a destination-based session limit can ensure that JUNOS software with enhanced services allows only an acceptable number of concurrent connection requests—no matter what the source—to reach any one host.
|
Before You Begin |
|---|
|
For background information, read Understanding Session Table Flood Attacks. |
In this example, you want to limit the amount of traffic to a Web server at 1.2.2.5. The server is in the DMZ zone. After observing the traffic flow from the external zone to this server for a month, you have determined that the average number of concurrent sessions it receives is 2000. Based on this information, you decide to set the new session limit at 4000 concurrent sessions. Although your observations show that traffic spikes sometimes exceed that limit, you opt for firewall security over occasional server inaccessibility.
To set the destination-session limit, use the JUNOS CLI configuration editor.
- user@host# set security screen 4000-limit-session limit-session
destination-ip-based 4000
- user@host# set security screen 100-limit-session limit-session
destination-ip-based 100
- user@host# set security zones security-zone external_zone
screen 100-limit-session
