Enabling SYN Cookie Protection

SYN Cookie is a stateless SYN proxy mechanism you can use in conjunction with the defenses against a SYN flood attack.

You can use either J-Web or the CLI configuration editor to enable SYN Cookie, set the SYN flood attack threshold.

This topic covers:

• J-Web Configuration
• CLI Configuration
• Related Topics

J-Web Configuration

To configure screens:

1. Select Configure>CLI Tools>Point and Click CLI.
2. Next to Security, click Configure or Edit.
3. Next to Screen, click Configure.
4. Next to Ids option, click Add new entry.
5. In the Name box, type external-syn-flood.
6. Next to Tcp, click Configure.
7. Next to Syn flood box, select the check box and click Configure.
8. In the Timeout box, type 20 and click OK.
9. To save and commit the configuration, click Commit.

To configure zones:

1. Select Configure>CLI Tools>Point and Click CLI.
2. Next to Security, click Configure or Edit.
3. Next to Zones, click Configure.
4. Next to Security zone, click Add new entry.
5. In the Name box, type external.
6. In the Screen box, type external-syn-flood and click OK.
7. To save and commit the configuration, click Commit.

To configure flow:

1. Select Configure>CLI Tools>Point and Click CLI.
2. Next to Security, click Configure or Edit.
3. Next to Flow, click Configure.
4. From the Syn flood protection mode choice list, select syn-cookie and click OK.
5. To save and commit the configuration, click Commit.

CLI Configuration

Note: The SYN Cookie feature can only detect and protect against spoofed SYN-Flood attacks, thus minimizing the negative impact to hosts that are secured by JUNOS Software. If an attacker is using a legitimate IP source address, rather than a spoofed IP source, then the SYN-Cookie mechanism does not stop the attack.

Related Topics

• Enabling SYN Flood Protection
• Enabling ICMP Flood Protection
• Enabling UDP Flood Protection
• Enabling Protection Against a Land Attack