In addition to limiting the number of concurrent sessions from the same source IP address, you can also limit the number of concurrent sessions to the same destination IP address. A wily attacker can launch a distributed denial-of-service (DDos) attack. In a DDoS attack, the malicious traffic can come from hundreds of hosts, known as “ zombie agents,” that are surreptitiously under the control of an attacker. In addition to the SYN, UDP, and ICMP flood detection and prevention screen options, setting a destination-based session limit can ensure that JUNOS software allows only an acceptable number of concurrent connection requests—no matter what the source—to reach any one host. See Figure 28.
Figure 28: Distributed DOS Attack
The default maximum for destination-based session limits is 128 concurrent sessions, a value that might need adjustment to suit the needs of your network environment and the platform.
 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |