A source-based session limit can stem an attack that infects a server and then begins generating massive amounts of traffic from that server.
Before You Begin
For background information, read Understanding Session Table Flood Attacks.
In this example, you want to limit the amount of sessions that any one server in the DMZ and zone_a zones can initiate. Because the DMZ zone only contains Web servers, none of which should initiate traffic, you set the source-session limit at the lowest possible value: 1 session. On the other hand, the zone_a zone contains personal computers, servers, printers, and so on, many of which do initiate traffic. For the zone_a zone, you set the source-session limit maximum to 80 concurrent sessions.
In this example you are setting the source-session limit maximum to 80 concurrent sessions. To set the source-session limit, use the JUNOS CLI configuration editor.
- user@host# set security screen 1-limit-session limit-session source-ip-based 1
- user@host# set security screen 100-limit-session limit-session source-ip-based 100
- user@host# set security screen 80-limit-session limit-session source-ip-based 80
- user@host# set security zones security-zone dmz screen 100-limit-session
- user@host# set security zones security-zone zone_a screen 100-limit-session