Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01 Manual page 111

Table 49: IDP Device Configuration: Run-Time Parameters (continued)
Setting
SYN Protector
TCP Reassembler
Copyright © 2010, Juniper Networks, Inc.
Description
Timeout for half-open SYN protected flows–A half-open SYN flow occurs during the TCP
three-way handshake, after the client has sent a SYN/ACK packet to the server. The half-open
connection is now in the SYN_RECV state, and is placed into a connection queue while it waits for
an ACK or RST packet. The connection remains in the queue until the connection-establishment
timeout expires and the half-open connection is deleted. This setting controls the connection
establishment timer, which determines the number of seconds that the security module maintains
a half-open SYN protected flow. The default is 5 seconds.
Lower SYN's-per-second threshold below which SYN Protector will be deactivated / Upper
SYN's-per-second threshold above which SYN Protector will be activated–The SYN Protector
rulebase is activated when the number of SYN packets per second is greater than the sum of the
lower SYNs-per-second threshold and the upper SYNs-per-second threshold.
The SYN Protector rulebase is deactivated when the number of SYN packets per second is less
than the lower SYNs-per-second threshold.
The defaults are 1000 and 20. The SYN Protector is activated when SYNs-per-second reach 1020
and deactivated when SYNs-per-second fall below 1000.
Ignore packets in TCP flows where a SYN hasn't been seen (recommended)–The absence of
SYN flags in TCP flows is suspect, yet still a very common occurrence. IDP can ignore packets within
TCP flows that do not yet contain a SYN flag. This is enabled by default.
Close flows as soon as a FIN is seen–Enables when a TCP connection closes, IDP sees a FIN packet
from each side of the connection followed by an ACK packet from each side of the connection.
However, TCP does not guarantee delivery of the final ACK.
Enables IDP to quickly close a TCP connection after receiving a FIN packet. When enabled, IDP
maintains a connection waiting for a final ACK for 5 seconds, then closes the connection. This is
enabled by default and recommended.
Timeout for connected, idle TCP flows (seconds)–Controls the number of seconds that IDP
maintains connected (but idle) TCP flows. The default is 3600 seconds.
Timeout for closed TCP flows (seconds)–Controls when IDP sees a RST packet or FIN/FIN+ACK
packets on a TCP connection, it closes the connection flows. IDP drops any further packets for the
closed flow, but does not delete existing, closed flows from the flow table. Controls the number
of seconds that closed TCP flows are maintained in the flow table. The default is 5 seconds.
Timeout for CLOSE-WAIT/LAST-ACK TCP flows (seconds)–Controls when a TCP connection
closes, IDP sees a FIN packet from each side of the connection followed by an ACK packet from
each side of the connection. However, TCP does not guarantee delivery of the final ACK.
Controls the number of seconds a connection is maintained while waiting for the final ACK.
To improve IDP performance during heavy loads, decrease the timeout—this reduces the size of
the flow table by closing connections sooner. The default is 120 seconds.
Chapter 8: Configuring Intrusion Detection and Prevention Device Settings
95