syn-cookie vs syn-proxy

If you have ever configured syn-flood screen on an SRX box, you might have asked yourself which one of these methods you should choose. Here I would like to show the effect of each option in session table. Configure syn-flood as below;

Note: Thresholds are chosen so small to make the test easier.

and send 10 TCP SYN in a second from your Linux testing host by using the swiss knife hping tool

If you have chosen syn-cooki as the syn flood protection mode i.e you have the following config set.

this 10 TCP SYN request will only create 3 flow sessions. Because we have attack-threshold=3 which literally instructs SRX to start syn flood protection mechanism after 3 SYNs in a second because of which you don’t see any TCP 80 session more than 3.

However if you have the following config i.e you have chosen syn-proxy protection,

then situation is a bit different. The very same number of 10 TCP SYNs will create 10 flow sessions.

In this mode, timeout plays an important role. Default tcp initial session timeout on SRX is 20 seconds. If you set this value to 10 as in the example, non-proxied connections i.e first 3 sessions will have 20 seconds session timeout and other 7 proxied connections will take 10 seconds session timeout.

It is up to you to decide which one to use now 🙂

You have a feedback?