syn-cookie vs syn-proxy
If you have ever configured syn-flood screen on an SRX box, you might have asked yourself which one of these methods you should choose. Here I would like to show the effect of each option in session table. Configure syn-flood as below;
{primary:node0}
root@CO-A-1> show configuration security screen
ids-option protect-web {
tcp {
syn-flood {
alarm-threshold 2;
attack-threshold 3;
timeout 10;
}
}
}
Note: Thresholds are chosen so small to make the test easier.
and send 10 TCP SYN in a second from your Linux testing host by using the swiss knife hping tool
hping3 -c 10 -S -p 80 192.168.9.14 -i u100
SYN-COOKIE
If you have chosen syn-cooki as the syn flood protection mode i.e you have the following config set.
#set security flow syn-flood-protection-mode syn-cookie
this 10 TCP SYN request will only create 3 flow sessions. Because we have attack-threshold=3 which literally instructs SRX to start syn flood protection mechanism after 3 SYNs in a second because of which you don’t see any TCP 80 session more than 3.
{primary:node0}
root@CO-A-1> show security flow session destination-port 80 summary
Valid sessions: 3 <<< Attack threshold amount
Pending sessions: 0
Invalidated sessions: 0
Sessions in other states: 0
Total sessions: 3
SYN-PROXY
However if you have the following config i.e you have chosen syn-proxy protection,
#set security flow syn-flood-protection-mode syn-proxy
then situation is a bit different. The very same number of 10 TCP SYNs will create 10 flow sessions.
root@CO-A-1>show security flow session destination-port 80 summary Valid sessions: 10 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Total sessions: 10
In this mode, timeout plays an important role. Default tcp initial session timeout on SRX is 20 seconds. If you set this value to 10 as in the example, non-proxied connections i.e first 3 sessions will have 20 seconds session timeout and other 7 proxied connections will take 10 seconds session timeout.
It is up to you to decide which one to use now 🙂
