Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All
Configuring TCP SYN-FIN Attack Screen
This topic describes how to configure detection of a TCP SYN-FIN attack.
A TCP header with the SYN and FIN flags set is anomalous TCP behavior causing various responses from the recipient, depending on the OS. Blocking packets with SYN and FIN flags helps prevent the OS system probes.
To enable detection of TCP SYN-FIN bits:
- Configure interfaces and assign an IP address to interfaces.user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.0.2.0/24user@host# set interfaces ge-0/0/3 unit 0 family inet address 198.51.100.0/24
- Configure security zones trustZone and untrustZone and assign interfaces
to them.user@host# set security zones security-zone trustZone host-inbound-traffic system-services alluser@host# set security zones security-zone trustZone host-inbound-traffic protocols alluser@host# set security zones security-zone trustZone interfaces ge-0/0/1.0user@host# set security zones security-zone untrustZone host-inbound-traffic system-services alluser@host# set security zones security-zone untrustZone host-inbound-traffic protocols alluser@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0
- Configure security policies from untrustZone to trustZone.user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match source-address anyuser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match destination-address anyuser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match application anyuser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then permituser@host# set security policies default-policy deny-all
- Configure security screens and attach them to untrustZone.user@host# set security screen ids-option untrustScreen tcp syn-finuser@host# set security zones security-zone untrustZone screen untrustScreenuser@host# set security screen ids-option untrustScreen alarm-without-drop
- Configure syslog.user@host# set system syslog file syslog any anyuser@host# set system syslog file syslog archive size 10000000user@host# set system syslog file syslog explicit-priorityuser@host# set system syslog file syslog structured-datauser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-inituser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-close
- Commit the configuration.user@host# commit