Understanding Flood Prevention Stateless Firewall Filters

You can create stateless firewall filters that limit certain TCP and ICMP traffic destined for the Routing Engine. A router without this kind of protection is vulnerable to TCP and ICMP flood attacks—also called denial-of-service (DoS) attacks. For example:

• A TCP flood attack of SYN packets initiating connection requests can overwhelm the device until it can no longer process legitimate connection requests, resulting in denial of service.
• An ICMP flood can overload the device with so many echo requests (ping requests) that it expends all its resources responding and can no longer process valid network traffic, also resulting in denial of service.

Applying the appropriate firewall filters to the Routing Engine protects against these types of attacks.

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Example: Blocking TCP Connections to a Certain Port Except from BGP Peers in the Junos Policy Framework Configuration Guide
• Example: Accepting Packets with Specific IPv6 TCP Flags in the Junos Policy Framework Configuration Guide
• Example: Defining a Policer for a Destination Class in the Junos Policy Framework Configuration Guide