Hello ,
We are getting spoofed syn attack from the internet. But the ip address that which gets the attack blocking new connections but the connections that has sessions before is still going on working.(we get an attack to SRX main ip and we should not get in to web site of the srx also.)
We realize sth. strange in logs :
Sep 22 07:34:35 RT_IDS: RT_SCREEN_TCP_DST_IP: SYN flood! destination: 178.20.225.18, zone name: untrust, interface name: xe-1/0/0.0, action: alarm-without-drop Sep 22 07:34:36 RT_IDS: RT_SCREEN_TCP: SYN flood Src-IP based! source: 16.30.169.251:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop Sep 22 07:34:36 RT_IDS: RT_SCREEN_TCP: SYN flood Dst-IP based! source: 160.246.126.46:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop Sep 22 07:34:36 RT_IDS: RT_SCREEN_TCP_DST_IP: SYN flood! destination: 178.20.225.18, zone name: untrust, interface name: xe-1/0/0.0, action: alarm-without-drop Sep 22 07:34:37 RT_IDS: RT_SCREEN_TCP: SYN flood Dst-IP based! source: 69.193.101.57:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop Sep 22 07:34:37 RT_IDS: RT_SCREEN_TCP_DST_IP: SYN flood! destination: 178.20.225.18, zone name: untrust, interface name: xe-1/0/0.0, action: alarm-without-drop Sep 22 07:34:38 RT_IDS: RT_SCREEN_TCP: SYN flood Src-IP based! source: 169.162.141.248:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop Sep 22 07:34:38 RT_IDS: RT_SCREEN_TCP: SYN flood Dst-IP based! source: 89.82.9.18:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop Sep 22 07:34:38 RT_IDS: RT_SCREEN_TCP_DST_IP: SYN flood! destination: 178.20.225.18, zone name: untrust, interface name: xe-1/0/0.0, action: alarm-without-drop Sep 22 07:34:39 RT_IDS: RT_SCREEN_TCP: SYN flood Src-IP based! source: 114.183.168.173:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop Sep 22 07:34:39 RT_IDS: RT_SCREEN_TCP: SYN flood Dst-IP based! source: 198.222.93.42:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop Sep 22 07:34:39 RT_IDS: RT_SCREEN_TCP_DST_IP: SYN flood! destination: 178.20.225.18, zone name: untrust, interface name: xe-1/0/0.0, action: alarm-without-drop Sep 22 07:34:40 RT_IDS: RT_SCREEN_TCP: SYN flood Src-IP based! source: 80.240.54.217:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop Sep 22 07:34:40 RT_IDS: RT_SCREEN_TCP: SYN flood Dst-IP based! source: 170.63.108.161:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop Sep 22 07:34:40 RT_IDS: RT_SCREEN_TCP_DST_IP: SYN flood! destination: 178.20.225.18, zone name: untrust, interface name: xe-1/0/0.0, action: alarm-without-drop Sep 22 07:34:41 RT_IDS: RT_SCREEN_TCP: SYN flood Src-IP based! source: 130.57.247.24:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop Sep 22 07:34:41 RT_IDS: RT_SCREEN_TCP: SYN flood Dst-IP based! source: 134.130.209.106:1234, destination: 178.20.225.18:80, zone name: untrust, interface name: xe-1/0/0.0, action: drop Sep 22 07:34:41 RT_IDS: RT_SCREEN_TCP_DST_IP: SYN flood! destination: 178.20.225.18, zone name: untrust, interface name: xe-1/0/0.0, action: alarm-without-drop
I found some document on the net : https://inetzero.com/few-things-about-screens/
Sometimes, such as in the initial deployment phase, it might not be known which particular attacks to look for. In these cases the parameter called “alarm-without-drop” can come very handy. If enabled for an ids-option the screen module will generate only a syslog message and not execute the drop action when an attack is detected.
How should that be happen ? This is our ids config : - Attack hitting to untrust zone
security {
log {
mode event;
}
alg {
ftp disable;
msrpc disable;
sunrpc disable;
rsh disable;
sip;
sql disable;
talk disable;
tftp disable;
pptp disable;
ike-esp-nat {
enable;
}
}
flow {
syn-flood-protection-mode syn-cookie;
tcp-session {
no-syn-check;
no-syn-check-in-tunnel;
no-sequence-check;
}
}
screen {
ids-option untrust-screen {
icmp {
ip-sweep threshold 1000000;
fragment;
large;
flood threshold 8000;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
source-route-option;
loose-source-route-option;
strict-source-route-option;
unknown-protocol;
block-frag;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 1000000;
syn-ack-ack-proxy threshold 1000;
syn-flood {
alarm-threshold 250;
attack-threshold 625;
source-threshold 25;
timeout 10;
}
land;
winnuke;
tcp-sweep threshold 1000;
}
limit-session {
source-ip-based 200;
}
}
traceoptions {
file screen.log;
flag all;
}
}
policies {
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone trust to-zone trust {
policy icnetwork {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone untrust to-zone untrust {
policy DisNetwork {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
xe-4/0/0.0;
ae1.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
xe-1/0/1.0;
xe-1/0/0.0;
}
application-tracking;
}
}
}