Specifying Vlans; Setting Target Devices; Entering Comments; Configuring Syn Protector Rules - Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual

Network and Security Manager Administration Guide

Specifying VLANs

Setting Target Devices

Entering Comments

Configuring SYN Protector Rules

The TCP Handshake

498
You can specify that the rule be applied only to packets from particular VLANs. See
"Setting VLAN Tags for IDP Rules" on page 480 for more information.
For each rule in the rulebase, you can select the IDP-capable device that will use that
rule to detect and prevent attacks. Alternatively, you can use Device Manager to assign
policies to devices.
You can enter notations about the rule in the Comments column. Anything you enter in
the Comments column is not pushed to the target devices. To enter a comment, right-click
the Comments column and select Edit Comments. The Edit Comments dialog box
appears. You can enter up to 1024 characters in the Comments field.
The SYN-Protector rulebase protects your network from SYN floods by ensuring that
the three-way handshake is performed successfully for specified TCP traffic. If you know
that your network is vulnerable to a SYN flood, use the SYN Protector rulebase to prevent
it.
When a TCP connection is initiated, a three-way handshake takes place:
A client host sends a SYN packet to a specific port on the server to request a connection.
Next, the server sends the client host a SYN/ACK packet, which both acknowledges
(ACK) the original SYN packet from the client host and forwards a new SYN packet.
The potential connection is now in a SYN_RECV state.
Finally, the client host sends an ACK packet to the server to acknowledge receipt of
the SYN/ACK packet. The connection is now in an ESTABLISHED state.
This three-way handshake contains an inherent, exploitable vulnerability that attackers
can use to disable the system: a SYN flood. Most systems allocate a large, but finite
number of resources to a connection table that is used to manage potential connections.
While the connection table can sustain hundreds of concurrent connections across
multiple ports, attackers can generate enough connection requests to exhaust all
allocated resources.

SYN-Floods

Attackers initiate a SYN flood by manipulating the basic three-way handshake:
Copyright © 2010, Juniper Networks, Inc.