Configuring TCP SYN and RST Attack Screen
This topic describes how to configure TCP packet when the SYN and RST flags are set.
To enable detection of a TCP SYN and RST attack:
- Configure interfaces and assign an IP address to interfaces.
[edit] user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.0.2.0/24 user@host# set interfaces ge-0/0/3 unit 0 family inet address 198.51.100.0/24
- Configure security zones
trustZone
theuntrustZone
and assign interfaces to them.[edit] user@host# set security zones security-zone trustZone host-inbound-traffic system-services all user@host# set security zones security-zone trustZone host-inbound-traffic protocols all user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0 user@host# set security zones security-zone untrustZone host-inbound-traffic system-services all user@host# set security zones security-zone untrustZone host-inbound-traffic protocols all user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0
- Configure the IDP custom-attack signatures.
[edit] user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match from-zone any user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match source-address any user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match to-zone any user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match destination-address any user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match application default user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match attacks custom-attacks syn_rst user@host# set security idp idp-policy idpengine rulebase-ips rule 1 then action no-action user@host# set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks user@host# set security idp active-policy idpengine user@host# set security idp custom-attack syn_rst severity info user@host# set security idp custom-attack syn_rst attack-type signature context packet user@host# set security idp custom-attack syn_rst attack-type signature pattern user@host# set security idp custom-attack syn_rst attack-type signature direction any user@host# set security idp custom-attack syn_rst attack-type signature protocol tcp tcp-flags rst user@host# set security idp custom-attack syn_rst attack-type signature protocol tcp tcp-flags syn
- Configure security policies from
untrustZone
totrustZone
.[edit] user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match source-address any user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match destination-address any user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match application any user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then permit application-services idp user@host# set security policies default-policy deny-all
- Configure security
tcp-session
option in flow.[edit] user@host# set security flow tcp-session no-syn-check user@host# set security flow tcp-session no-sequence-check
- Configure syslog.
[edit] user@host# set system syslog file syslog any any user@host# set system syslog file syslog archive size 10000000 user@host# set system syslog file syslog explicit-priority user@host# set system syslog file syslog structured-data user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-init user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-close
- To allow the traffic to reach the destination, configure
the
tcp-session
option.[edit] user@host# set security flow tcp-session relax-check
- Commit the configuration.
[edit] user@host# commit