Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring the TCP SYN cookie

Overview

SYN cookie is a stateless SYN proxy mechanism, and you can use it in conjunction with other defenses against a SYN flood attack. This example shows how to configure the TCP SYN cookie.

Requirements

This example uses the following hardware and software components:

  • MX480, and MX960 with MX-SPC3
  • Junos OS Release 21.2R1

Configuration

To configure the SYN cookie for the TCP protocol for source and/or destination perform these tasks:

  1. Set a value for maximum segment size (MSS) to be used for source TCP protocol.

    [edit]

    user@host# set services screen ids-option ids-option-in limit-session by-source by-protocol tcp syn-cookie mss 64

  2. Set a value for threshold-rate for source TCP protocol.

    [edit]

    user@host# set services screen ids-option ids-option-in limit-session by-source by-protocol tcp syn-cookie threshold-rate 100

  3. Set a value for threshold-num for source TCP protocol

    [edit]

    user@host# set services screen ids-option ids-option-in limit-session by-source by-protocol tcp syn-cookie threshold-num 100

  4. Set a value for maximum segment size (MSS) to be used for destination TCP protocol.

    [edit]

    user@host# set services screen ids-option ids-option-in limit-session by-dest by-protocol tcp syn-cookie mss 200

  5. Set a value for threshold-rate for destination TCP protocol.

    [edit]

    user@host# set services screen ids-option ids-option-in limit-session by-dest by-protocol tcp syn-cookie threshold-rate 100

  6. Set a value for threshold-num for destination TCP protocol

    [edit]

    user@host# # set services screen ids-option ids-option-in limit-session by-dest by-protocol tcp syn-cookie threshold-num 100

Results

From the configuration mode, confirm your configuration by entering the show services screen command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

user@host# show services screen