A source-based session limit can stem an attack that infects a server and then begins generating massive amounts of traffic from that server.
|
Before You Begin |
|---|
|
For background information, read Understanding Session Table Flood Attacks. |
In this example, you want to limit the amount of sessions that any one server in the DMZ and zone_a zones can initiate. Because the DMZ zone only contains Web servers, none of which should initiate traffic, you set the source-session limit at the lowest possible value: 1 session. On the other hand, the zone_a zone contains personal computers, servers, printers, and so on, many of which do initiate traffic. For the zone_a zone, you set the source-session limit maximum to 80 concurrent sessions.
In this example you are setting the source-session limit maximum to 80 concurrent sessions. To set the source-session limit, use the JUNOS CLI configuration editor.
- user@host# set security screen 1-limit-session limit-session
source-ip-based 1
- user@host# set security screen 100-limit-session limit-session
source-ip-based 100
- user@host# set security screen 80-limit-session limit-session
source-ip-based 80
- user@host# set security zones security-zone dmz screen
100-limit-session
- user@host# set security zones security-zone zone_a
screen 100-limit-session
