Dear friends ,
Our main problem is spoof syn attacks are passing from the SRX 3600 . We have an MX 80 Router and we are routing firewall traffic to the SRX device. we do not put the gateways on SRX we just pass it to second MX 80 but all spoof syn traffic directly passing or crashing into screen rules about syn limits. But it does not check syn cookie / not working syn proxy we tryed both of that.
## Last changed: 2015-07-30 20:58:07 UTC
version 12.1X44-D45.2;
system {
time-zone UTC;
root-authentication {
encrypted-password "$1$OPApHFb4$oB5XfwsEZ4d4Ucxo.G8xM.";
}
name-server {
195.175.39.39;
8.8.8.8;
}
services {
ssh;
telnet;
web-management {
http {
interface [ xe-1/0/0.0 xe-1/0/1.0 ];
}
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
chassis {
aggregated-devices {
ethernet {
device-count 2;
}
}
}
interfaces {
ge-0/0/0 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/1 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/2 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/3 {
gigether-options {
802.3ad ae0;
}
}
xe-1/0/0 {
unit 0 {
family inet {
address 37.123.100.122/29;
}
}
}
xe-1/0/1 {
unit 0 {
family inet {
address 10.255.255.1/29;
}
}
}
ae0 {
aggregated-ether-options {
minimum-links 1;
lacp {
active;
periodic fast;
}
}
unit 0 {
family inet {
address 10.32.35.98/30;
}
}
}
}
snmp {
location izmir;
contact "Cahit Eyigunlu";
community SALAY {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 37.123.100.121;
route 185.9.156.0/22 next-hop 10.32.35.97;
route 185.118.140.0/22 next-hop 10.32.35.97;
route 185.90.80.0/22 next-hop 10.32.35.97;
route 178.20.224.0/21 next-hop 10.32.35.97;
route 213.238.170.0/24 next-hop 10.32.35.97;
route 213.238.171.0/24 next-hop 10.32.35.97;
route 213.238.172.0/24 next-hop 10.32.35.97;
route 213.238.173.0/24 next-hop 10.32.35.97;
}
}
security {
alg {
dns disable;
ftp disable;
msrpc disable;
sunrpc disable;
rsh disable;
sql disable;
talk disable;
tftp disable;
pptp disable;
}
flow {
allow-dns-reply;
syn-flood-protection-mode syn-proxy;
aging {
early-ageout 15;
low-watermark 45;
high-watermark 80;
}
tcp-session {
no-syn-check;
tcp-initial-timeout 20;
}
}
screen {
ids-option IcNetwork {
icmp {
ip-sweep threshold 1000;
fragment;
large;
flood threshold 1000;
ping-death;
}
ip {
bad-option;
timestamp-option;
security-option;
stream-option;
loose-source-route-option;
unknown-protocol;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 1000;
syn-ack-ack-proxy threshold 256;
land;
winnuke;
}
udp {
flood threshold 150000;
}
}
ids-option Protection {
icmp {
ip-sweep threshold 10000;
fragment;
large;
flood threshold 100;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
source-route-option;
loose-source-route-option;
strict-source-route-option;
unknown-protocol;
block-frag;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 5000;
syn-ack-ack-proxy threshold 150;
syn-flood {
alarm-threshold 512;
attack-threshold 200;
source-threshold 4000;
destination-threshold 4000;
timeout 15;
}
land;
winnuke;
}
udp {
flood threshold 50000;
udp-sweep threshold 5000;
}
limit-session {
source-ip-based 100;
destination-ip-based 20000;
}
}
}
policies {
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone trust to-zone trust {
policy icnetwork {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone untrust {
policy DisNetwork {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
policy-rematch;
}
zones {
security-zone trust {
screen IcNetwork;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ae0.0;
}
}
security-zone untrust {
screen Protection;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
xe-1/0/0.0;
xe-1/0/1.0;
}
}
}
}