Configure TCP Options
Security for TCP Headers with SYN and FIN Flags Set
By default, your device accepts packets that have both the SYN and FIN bits set in the TCP flag. Configure your device to drop packets with both the SYN and FIN bits set to reduce security vulnerabilities.
Both the SYN and FIN control flags are not normally set in the same TCP segment header. The SYN flag synchronizes sequence numbers to initiate a TCP connection. The FIN flag indicates the end of data transmission to finish a TCP connection. Their purposes are mutually exclusive. A TCP header with the SYN and FIN flags set is anomalous TCP behavior, causing various responses from the recipient, depending on the OS. See Figure 1.
An attacker can send a segment with both flags set to see what kind of system reply is returned and thereby determine what kind of OS is on the receiving end. The attacker can then use any known system vulnerabilities for further attacks. When you enable the tcp-drop-synfin-set statement, Junos OS checks if the SYN and FIN flags are set in TCP headers. If it discovers such a header, it drops the packet.
[edit system internet-options] tcp-drop-synfin-set;
Disable TCP RFC 1323 Extensions
To disable RFC 1323 TCP extensions, include the no-tcp-rfc1323 statement at the [edit system internet-options] hierarchy level:
To disable the Protection Against Wrapped Sequence (PAWS) number extension (described in RFC 1323, TCP Extensions for High Performance), include the no-tcp-rfc1323-paws statement at the [edit system internet-options] hierarchy level:
Configure TCP MSS for Session Negotiation
During session connection establishment, two peers agree in negotiations to determine the IP segment size of packets that they will exchange during their communication. The TCP MSS (maximum segment size) value in TCP SYN packets specifies the maximum number of bytes that a TCP packet’s data field, or segment, can contain. An MSS value that is set too high can result in an IP datagram that is too large to send and that must be fragmented. Fragmentation can incur additional overhead cost and packet loss.
To diminish the likelihood of fragmentation and to protect against packet loss, you can use the tcp-mss statement to specify a lower TCP MSS value. The tcp-mss statement applies to all IPv4 TCP SYN packets traversing all the router’s ingress interfaces whose MSS value is higher than the one you specify. You cannot exempt particular ports from its effects.
The following section describes how to configure TCP MSS on T Series, M Series, and MX Series routers.
Configuring TCP MSS on T Series and M Series Routers, and MX Series Routers Using a Service Card
To specify a TCP MSS value on T Series and M Series routers as well as MX Series routers using a service card, include the tcp-mss mss-value statement at the [edit services service-set service-set-name] hierarchy level:
[edit services service-set service-set-name] tcp-mss mss-value;
The range of the tcp-mss mss-value parameter is from 536 through 65535 bytes.
Add the service set to any interface for which you want to adjust the TCP-MSS value:
[edit interfaces interface-name unit 0 family family service] input service-set service-set-name; output service-set service-set-name;
To view statistics of SYN packets received and SYN packets whose MSS value is modified, issue the show services service-sets statistics tcp-mss operational mode command.
For further information about configuring TCP MSS on T Series and M Series routers, see the Junos OS Services Interfaces Library for Routing Devices.
Configuring TCP MSS Inline on MX Series Routers Using MPC Line Cards
To specify a TCP MSS value on MX Series routers that use MPC line cards, include the tcp-mss statement at the [edit interfaces interface-name unit logical-unit-number family family] hierarchy level:
[edit interfaces interface-name unit logical-unit-number family family] tcp-mss mss-value;
The range of the mss-value parameter is from 64 through 65,535 bytes. The TCP MSS value must be lower than the MTU of the interface.
This statement is supported on the following interfaces: gr- (GRE), ge- (Gigabit Ethernet), xe- (10-Gigabit Ethernet), and et- (40-Gigabit and 100-Gigabit Ethernet). Families supported are inet and inet6.
Configuring TCP MSS inline on MX Series routers using MPC line cards works only for traffic exiting/egressing the interface, not traffic entering/ingressing the interface.
Select a Fixed Source Address for Locally Generated TCP/IP Packets
Locally generated IP packets are the packets that are produced by applications running on the Routing Engine. Junos OS chooses a source address for these packets so that the application peers can respond. It also enables you to specify the source address on a per application basis. To serve this purpose, the Telnet CLI command contains the source-address argument.
This section introduces the default-address-selection statement:
[edit system] default-address-selection;
If you specifically choose the source address, as in the case of Telnet, default-address-selection does not influence the source address selection. The source address becomes the one that is specified with the source-address argument (provided the address is a valid address specified on the interface of a router). If the source address is not specified or if the specified address is invalid, default-address-selection influences the default source address selection.
If the source address is not explicitly specified as in the case of Telnet, then by default (when default-address-selection is not specified) the source address chosen for locally generated IP packets is the IP address of the outgoing interface. This indicates that depending on the chosen outgoing interface, the source address might be different for different invocations of a given application.
If the interface is unnumbered (no IP address is specified on an interface), Junos OS uses a predictable algorithm to determine the default source address. If default-address-selection is specified, Junos OS uses the algorithm to choose the source address irrespective of whether the outgoing interface is numbered. This indicates that with default-address-selection, you can influence Junos OS to provide the same source address in locally generated IP packets regardless of the outgoing interface.
The behavior of source address selection by Junos OS can be summed up as shown in the following table:
Table 1: Source Address Selection
When default-address-selection Is Specified
When default-address-selection Is Not Specified
Use IP address of outgoing interface
See Configuring Default, Primary, and Preferred Addresses and Interfaces for more information about the default address source selection algorithm.
For IP packets sent by IP routing protocols (including OSPF, RIP, RSVP, and the multicast protocols, but not including IS-IS), the local address selection is often constrained by the protocol specification so that the protocol operates correctly. When this constraint exists in the routing protocol, the packet's source address is unaffected by the presence of the default-address-selection statement in the configuration. For protocols in which the local address is unconstrained by the protocol specification like IBGP and multihop EBGP, if you do not configure a specific local address when configuring the protocol, the local address is chosen using the same method as other locally generated IP packets.