This topic describes how to configure detection of a
TCP SYN flood attack.
The TOE can be configured to drop connection attempts after a defined number of half-open
TCP connections using the screen ‘tcp syn-flood’, which provides both source and
destination thresholds on the number of uncompleted TCP connections, as well as a
timeout period. The source threshold option allows administrators to specify the number
of SYN segments received per second from a single source IP address—regardless of the
destination IP address—before the TOE begins dropping connection requests from that
source. The TCP half-open connection configuration is disabled by default unless
explicitly set with a threshold value.
Similarly, the destination threshold option allows the Administrator to specify the
number of SYN segments received per second for a single destination IP address before
the TOE begins dropping connection requests to that destination. The timeout option
allows administrators to set the maximum length of time before an uncompleted connection
is dropped from the
queue.
A SYN flood occurs when a host is so overwhelmed by SYN segments
initiating incomplete connection requests that it can no longer process
legitimate connection requests.
To enable detection of a TCP SYN flood attack:
- Configure interfaces and assign an IP address to interfaces.
[edit]
user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.0.2.0/24
user@host# set interfaces ge-0/0/3 unit 0 family inet address 198.51.100.0/24
- Configure security zones
trustZone and untrustZone and assign interfaces to them.[edit]
user@host# set security zones security-zone trustZone host-inbound-traffic system-services all
user@host# set security zones security-zone trustZone host-inbound-traffic protocols all
user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0
user@host# set security zones security-zone untrustZone host-inbound-traffic system-services all
user@host# set security zones security-zone untrustZone host-inbound-traffic protocols all
user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0
- Configure security policies from
untrustZone to trustZone.[edit]
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match source-address any
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match destination-address any
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match application any
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then permit
user@host# set security policies default-policy deny-all
- Configure security screens and attach them to
untrustZone.[edit]
user@host# set security screen ids-option untrustScreen tcp syn-flood
user@host# set security zones security-zone untrustZone screen untrustScreen
- Configure syslog.
[edit]
user@host# set system syslog file syslog any any
user@host# set system syslog file syslog archive size 10000000
user@host# set system syslog file syslog structured-data
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-init
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-close
- Commit the configuration.
