Configuring Junos OS to Enable the Router or Switch to Drop Packets with the SYN and FIN Bits Set

 

By default, the router or switch accepts packets that have both the SYN and FIN bits set in the TCP flag. You can configure the router or switch to drop packets with both the SYN and FIN bits set. Accepting packets with the SYN and FIN bits set can result in security vulnerabilities, such as denial-of-service attacks. To configure the router or switch to drop such packets, include the tcp-drop-synfin-set statement at the [edit system internet-options] hierarchy level: