In addition to the SYN, UDP, and ICMP flood detection and prevention screen options, setting a destination-based session limit can ensure that JUNOS Software allows only an acceptable number of concurrent connection requests—no matter what the source—to reach any one host.
Before You Begin |
|---|
For background information, read Understanding Session Table Flood Attacks. |
In this example, you want to limit the amount of traffic to a Web server at 1.2.2.5. The server is in the DMZ zone. After observing the traffic flow from the external zone to this server for a month, you have determined that the average number of concurrent sessions it receives is 2000. Based on this information, you decide to set the new session limit at 4000 concurrent sessions. Although your observations show that traffic spikes sometimes exceed that limit, you opt for firewall security over occasional server inaccessibility.
To set the destination-session limit, use either J-Web or the CLI configuration editor.
This topic covers:
To configure screens:
To configure zones:
- user@host# set security screen ids-option
4000-limit-session limit-session destination-ip-based 4000
- user@host# set security screen ids-option
100-limit-session limit-session destination-ip-based 100
- user@host# set security zones security-zone
external_zone screen 100-limit-session
