ON THIS PAGE
Configuring the TCP SYN cookie
Overview
SYN cookie is a stateless SYN proxy mechanism, and you can use it in conjunction with other defenses against a SYN flood attack. This example shows how to configure the TCP SYN cookie.
Requirements
This example uses the following hardware and software components:
- MX480, and MX960 with MX-SPC3
- Junos OS Release 21.2R1
Configuration
To configure the SYN cookie for the TCP protocol for source and/or destination perform these tasks:
Set a value for maximum segment size (MSS) to be used for source TCP protocol.
[edit]
user@host#
set services screen ids-option ids-option-in limit-session by-source by-protocol tcp syn-cookie mss 64
Set a value for threshold-rate for source TCP protocol.
[edit]
user@host#
set services screen ids-option ids-option-in limit-session by-source by-protocol tcp syn-cookie threshold-rate 100
Set a value for threshold-num for source TCP protocol
[edit]
user@host#
set services screen ids-option ids-option-in limit-session by-source by-protocol tcp syn-cookie threshold-num 100
Set a value for maximum segment size (MSS) to be used for destination TCP protocol.
[edit]
user@host#
set services screen ids-option ids-option-in limit-session by-dest by-protocol tcp syn-cookie mss 200
Set a value for threshold-rate for destination TCP protocol.
[edit]
user@host#
set services screen ids-option ids-option-in limit-session by-dest by-protocol tcp syn-cookie threshold-rate 100
Set a value for threshold-num for destination TCP protocol
[edit]
user@host#
# set services screen ids-option ids-option-in limit-session by-dest by-protocol tcp syn-cookie threshold-num 100
Results
From the configuration mode, confirm your configuration by entering the show services screen command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
user@host# show services screen
ids-option ids-option-in { match-direction input-output; limit-session { by-source { by-protocol { tcp { syn-cookie { mss 64; threshold-rate 100; threshold-num 100; } } } } by-destination { maximum-sessions 5000; session-rate 5000; by-protocol { tcp { syn-cookie { mss 200; threshold-rate 100; threshold-num 100; }