Table of Contents
Advertisement
Adding the SYN Protector Rulebase
Defining a Match
Copyright © 2010, Juniper Networks, Inc.
A client host sends a SYN packet to a specific port on the server. However, the attacker
ensures that the client host's IP address is a spoofed IP address of an unreachable
system.
Next, the server sends the client host (spoofed address) a SYN/ACK packet. The
potential connection is now in a SYN_RECV state.
Since the system is unreachable, the server never receives an ACK or RST packet back
from the client host. The potential connection is now in the SYN_RECV state, and is
placed into a connection queue while it waits for an ACK or RST packet. This potential
connection remains in the queue until the connection-establishment timer expires
(when it will be deleted).
The attacker sends another SYN packet to the server, requesting another connection.
And then another. And another. The connection table fills to capacity and cannot
accept new SYN requests. The server is overwhelmed, and quickly becomes disabled.
By default, the SYN Protector rulebase is only activated when the number of SYN packets
per second is greater than 1020. This number is the sum of two parameters that you can
set in the Sensor Settings Run-Time Parameters:
Lower SYN's-per-second threshold below which SYN Protector will be deactivated
(the default value is 1000)
Upper SYN's-per-second threshold above which SYN Protector will be activated (the
default value is 20)
Once the SYN Protector rulebase is activated, it remains active until the number of SYN
packets per second is less than the Lower SYN's-per-second threshold (which is 1000
by default).
Before you can configure a rule in the SYN Protector rulebase, you need to add the SYN
Protector rulebase to a security policy.
In the main navigation tree, select Policies. Open a security policy by double-clicking
1.
the policy name in the Security Policies window or click the policy name and then
select the Edit icon.
Click the Add icon in the upper right corner of the Security Policy window and select
2.
Add SYN Protector Rulebase to open the SYN Protector rulebase tab.
Configure a SYN Protector rule by clicking the Add icon on the left side of the Security
3.
Policy window to open a default SYN Protector rule. You can modify this rule as
needed.
Specify the traffic you want IDP to monitor for SYN floods.
Configuring Source and Destination Address Objects
Set the Source Object to Any. Set the Destination Object to any address objects you want
to protect.
Chapter 9: Configuring Security Policies
499
Advertisement
Table of Contents
