Mitigating Network Attacks on the Juniper SRX
The Juniper SRX provides an extensive set of options to block and prevent both internal and external based network attacks.
Within this article we will look at the various options and settings to block,
- Sweeps - Horizontal scans, i.e scans across an IP range.
- Port Scans - Vertical scans, i.e scans across multiple ports on a single server.
- IP Protection - Mitigating IP based attacks such as IP spoofing.
- Basic DoS Protection - Mitigation against simple forms of DoS attacks such as Teardrop.
- TCP Protection - Protection against attacks using TCP headers.
- TCP/UDP SYN Floods - Protection against Flood attacks.
- Session Limitation/Protection - SYN cookies, session limits etc.
Each of these settings are configured either within Screen or within the global flow options. What is Screen ?
Screen is a feature that allows to you configure and block various layer 3-4 attacks by configuring a screen object and then assigning it to a zone.
NOTE Throughout this article the screen object name 'untrusted-screen' is used within the Screen configuration examples.
A sweep can be used to identify active hosts and services on the network. Attacks will typically sweep an IP range looking for responses (i.e open ports). This is also know as a horizontal scan.
Within the sweep examples below we set the threshold to 1 million microseconds (1 sec). During this time a maximum of 10 SYNs/UDP/ICMP packets can be sent from a single IP.
set security screen ids-option untrusted-screen icmp ip-sweep threshold 1000000
set security screen ids-option untrusted-screen tcp tcp-sweep threshold 1000000
set security screen ids-option untrusted-screen udp udp-sweep threshold 1000000
Also know as a vertical scan. A port scan is when the attacker scans for multiple ports on a single server.
Within the port-scan example below we limit destination to accept packets from the same source IP to max of 10 different ports in 1 million microseconds (1 sec).
set security screen ids-option untrust-screen tcp port-scan threshold 1000000
To protect against IP spoofing the IP spoof screen performs a uRPF check on the source IP address. The return traffic is then checked to ensure that it was routed via the same path that it came in on.
set security screen ids-option untrust-screen ip spoofing
To prevent rogue TCP packets (i.e no TCP flag etc) the TCP Screen can be used. Below provides some common examples,
set security screen ids-option untrust-screen tcp tcp-no-flag
set security screen ids-option untrust-screen tcp syn-fin
set security screen ids-option untrust-screen tcp syn-frag
Basic DoS protection
To block against some of the more basic types of DoS attacks Screens can once again be used. Below provides provides some examples,
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen tcp winnuke
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp land
One of the most common attacks of recent years are flood attacks. Though not as common today, you will typically find the attacker starting with a form of flood attack before moving onto a full Layer-7 DDoS. This is normally because the resources and overhead required for a SYN Flood are far less than what is needed for a full Layer-7 DDoS attack. Flood attacks work by sending a large number of connection requests (i.e such as SYNs) in an attempt to overwhelm the servers/firewalls connection table.
Lets look at the various TCP Flood options available.
Embryonic Timeouts - Limit the amount of time before an embryonic connection is cleared from the connection table.
set security screen ids-option untrust-screen tcp syn-flood timeout 10
SYN Limits - Limit the number of SYN packets allowed per destination, per port number, per second. Once reached the SRX proxies the 3WHS.
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 1500
SYN-Flood per source - Limit the number of SYN packets allowed per source IP address.
set security screen ids-option untrust-screen tcp syn-flood source-threshold 200
SYN-Flood per destination - Limit the number of SYN packets allowed per destination IP address.
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 200
SYN Flood Protection Modes
To instruct the SRX to either SYN Cookie or SYN Proxy any further connection requests (once the SYN thresholds are reached) the following global configuration options are available.
SYN Cookie - SYN Cookies work by the SRX replying to all initial SYN packets with a SYN/ACK packet that contains the original source, destination and port numbers as an encrypted hash as the ISN (Initial Sequence number). The SRX then discards this information and the SYN is not placed into the session table. Should the client respond with the ACK then the session is rebuilt.
SYN Proxy - The 3WHS is proxied and built before being passed onto the backend server.
# enables syn-cookie mode set security flow syn-flood-protection-mode syn-cookie
# enables syn-proxy mode set security flow syn-flood-protection-mode syn-proxy
To protect against UDP flood attacks the following option can be used. This limits the number of UDP packets allowed on a per second basis.
set security screen ids-option untrust-screen udp flood threshold 50000
SYN-ACK-ACK Proxy attack
A SYN-ACK-ACK proxy attack occurs when the attacker keeps acknowledging SYN-ACKs that have been proxied by the SRX for authentication user based sessions (during the 3WHS). This results in the connection tabling filling up and legitimate sessions being denied.
Below the number of connections allowed per source IP (via proxied SYN-ACKs) is defined.
set security screen ids-option untrust-screen tcp syn-ack-ack-proxy threshold 500
To limit the amount of sessions to a single destination thelimit-sessionoption is used.
Destination - Limit the amount of sessions per destination IP.
set security screen ids-option untrust-screen limit-session limit-session destination-ip-based 1000
Source - Limit the amount of sessions per source IP.
set security screen ids-option untrust-screen limit-session limit-session source-ip-based 1000
To prevent a situation were the session table becomes full and the SRX is unable to build new sessions Aggressive Aging can be enabled. Aggressive aging allows you to define at what point inactive sessions are removed from the table. Within the Aggressive Aging feature there are 3 values that must be configured - lower-watermark, high-watermark and early-ageout.
Early-ageout - How long the session must be inactive for before it is removed from the session table.
set security flow aging early-ageout 30
Low-watermark - % of session table when aggressive ageing is triggered
set security flow aging low-watermark 70
High-watermark - % of session table when aggressive ageing is de-activated.
set security flow aging high-watermark 90
To check the idle timeout of an application the command request pfe execute target fwdd command "show usp app-def tcp" is used.
ASSIGN Screen Policy
Screens are applied at the zone level. Once you have configured your screen object you can assign it accordingly using the following command.
# set security zones security-zone trust screen untrust-screen
|show security screen ids-option <screen object name>||show configured values/settings|
|show security screen statistics zone <zone name>||show screen statistics for zone|
|show security flow session summary||show session counts.|
|show chassis routing-engine||show cpu and memory levels.|
- DoS Attacks
- SYN-ACK-ACK Flood Attacks
- Aggressive Aging