Configuring TCP SYN and RST Attack Screen
This topic describes how to configure TCP packet when the SYN and RST flags are set.
TCP SYN and RST attack screen is configured slightly differently from other attack screens. A full description of the procedure is given in the following.
- Configure interfaces and assign an IP address to interfaces.
[edit] user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.0.2.0/24 user@host# set interfaces ge-0/0/3 unit 0 family inet address 198.51.100.0/24
- Configure security zones
trustZonetheuntrustZoneand assign interfaces to them.[edit] user@host# set security zones security-zone trustZone host-inbound-traffic system-services all user@host# set security zones security-zone trustZone host-inbound-traffic protocols all user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0 user@host# set security zones security-zone untrustZone host-inbound-traffic system-services all user@host# set security zones security-zone untrustZone host-inbound-traffic protocols all user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0
- Configure the IDP custom-attack signatures.
[edit] user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match from-zone any user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match source-address any user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match to-zone any user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match destination-address any user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match application default user@host# set security idp idp-policy idpengine rulebase-ips rule 1 match attacks custom-attacks syn_rst user@host# set security idp idp-policy idpengine rulebase-ips rule 1 then action no-action user@host# set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks user@host# set security idp active-policy idpengine user@host# set security idp custom-attack syn_rst severity info user@host# set security idp custom-attack syn_rst attack-type signature context packet user@host# set security idp custom-attack syn_rst attack-type signature pattern user@host# set security idp custom-attack syn_rst attack-type signature direction any user@host# set security idp custom-attack syn_rst attack-type signature protocol tcp tcp-flags rst user@host# set security idp custom-attack syn_rst attack-type signature protocol tcp tcp-flags syn
- Configure security policies from
untrustZonetotrustZone.[edit] user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match source-address any user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match destination-address any user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match application any user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then permit application-services idp user@host# set security policies default-policy deny-all
- Configure security
tcp-sessionoption in flow.[edit] user@host# set security flow tcp-session no-syn-check user@host# set security flow tcp-session no-sequence-check
- Configure syslog.
[edit] user@host# set system syslog file syslog any any user@host# set system syslog file syslog archive size 10000000 user@host# set system syslog file syslog structured-data user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-init user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-close
- To allow the traffic to reach the destination, configure
the
tcp-sessionoption.[edit] user@host# set security flow tcp-session relax-check
- Commit the configuration.
[edit] user@host# commit