Quantcast
Channel: SRX Services Gateway topics
Viewing all articles
Browse latest Browse all 3959

Is there any body succeded to use SYN cookie ?

$
0
0

we have tested too many times with a very very simple config 

This is the test result of stress test :

http://www.filedropper.com/my-capturebuyuk2 you should download the pcap file and check the syn -> syn-ack mechanism what if work or not  our config as given below and we test the same config on 6+ different firmware 

 

If we have a mistake please s.b. tell me that i am wrong.  

 

## Last changed: 2016-09-22 22:37:13 UTC
version 12.1X47-D40.1;
groups {
    jweb-security-logging {
        system {
            syslog {
                file mylog {
                    any any;
                    archive files 1;
                    structured-data;
                }
            }
        }
    }
}
system {
    time-zone UTC;
    root-authentication {
    }
    name-server {
        195.175.39.39;
        8.8.8.8;
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface [ xe-1/0/0.0 xe-1/0/1.0 ae1.0 ];
            }
        }
    }
    syslog {
        file messages {
            any any;
            match RT_Screen;
        }
        file mylog {
            any any;
            archive files 1;
            structured-data;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
chassis {
    aggregated-devices {
        ethernet {
            device-count 2;
        }
    }
}
interfaces {
    ge-0/0/0 {
        gigether-options {
            802.3ad ae1;
        }
    }
    ge-0/0/1 {
        gigether-options {
            802.3ad ae1;
        }
    }
    ge-0/0/2 {
        gigether-options {
            802.3ad ae1;
        }
    }
    ge-0/0/3 {
        gigether-options {
            802.3ad ae1;
        }
    }
    ge-0/0/7 {
        unit 0 {
            family inet {
                address 37.123.98.137/29;
            }
        }
    }
    xe-1/0/0 {
        unit 0 {
            family inet {
                address 178.20.225.18/29;
            }
        }
    }
    xe-1/0/1 {
        unit 0 {
            family inet {
                address 10.10.10.9/30;
            }
        }
    }
    xe-4/0/0 {
        unit 0 {
            family inet {
                address 10.10.10.17/30;
            }
        }
    }
    ae1 {
        description DownStream;
        aggregated-ether-options {
            minimum-links 1;
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family inet {
                address 10.10.10.21/30;
            }
        }
    }
    lo0 {
        unit 1 {
            family inet {
                address 192.168.1.82/32;
            }
        }
    }
}
snmp {
    location izmir;
    contact "Cahit Eyigunlu";
    community SALAY {
        authorization read-only;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 178.20.225.17;
    }
}
policy-options {
    policy-statement send-direct {
        term 1 {
            from protocol direct;
            then accept;
        }
    }
}
security {
    log {
        mode event;
    }
    alg {
        ftp disable;
        msrpc disable;
        sunrpc disable;
        rsh disable;
        sip;
        sql disable;
        talk disable;
        tftp disable;
        pptp disable;
        ike-esp-nat {
            enable;
        }
    }
    flow {
        allow-dns-reply;
        syn-flood-protection-mode syn-cookie;
        aging {
            early-ageout 20;
            low-watermark 100;
            high-watermark 100;
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ip-sweep threshold 1000000;
                fragment;
                large;
                flood threshold 8000;
                ping-death;
            }
            ip {
                bad-option;
                record-route-option;
                timestamp-option;
                security-option;
                stream-option;
                spoofing;
                source-route-option;
                loose-source-route-option;
                strict-source-route-option;
                unknown-protocol;
                block-frag;
                tear-drop;
            }
            tcp {
                syn-fin;
                fin-no-ack;
                tcp-no-flag;
                syn-frag;
                port-scan threshold 1000000;
                syn-ack-ack-proxy threshold 1000;
                syn-flood {
                    alarm-threshold 25;
                    attack-threshold 20;
                    source-threshold 50;
                    destination-threshold 1000;
                    timeout 20;
                }
                land;
                winnuke;
                tcp-sweep threshold 1000;
            }
            limit-session {
                source-ip-based 200;
            }
        }
        traceoptions {
            file screen.log;
            flag all;
        }
    }
    forwarding-process {
        application-services {
            session-distribution-mode hash-based;
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                    }
                }
            }
        }
        from-zone trust to-zone trust {
            policy icnetwork {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                    }
                }
            }
        }
        from-zone untrust to-zone untrust {
            policy DisNetwork {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    datapath-debug {
        capture-file my-capture format pcap size 10m files 5;
        maximum-capture-size 1500;
        action-profile {
            do-capture {
                event np-egress {
                    packet-dump;
                }
                event np-ingress {
                    packet-dump;
                }
            }
        }
        packet-filter my-filter {
            action-profile do-capture;
            source-prefix 0.0.0.0/0;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                xe-4/0/0.0;
                ae1.0;
                ge-0/0/7.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                xe-1/0/1.0;
                xe-1/0/0.0;
            }
            application-tracking;
        }
    }
}

Viewing all articles
Browse latest Browse all 3959

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>