syn-cookie vs syn-proxy

If you have ever configured syn-flood screen on an SRX box, you might have asked yourself which one of these methods you should choose. Here I would like to show the effect of each option in session table. Configure syn-flood as below;

{primary:node0}
root@CO-A-1> show configuration security screen 
ids-option protect-web {
    tcp {
        syn-flood {
            alarm-threshold 2;
            attack-threshold 3;
            timeout 10;
        }
    }
}

Note: Thresholds are chosen so small to make the test easier.

and send 10 TCP SYN in a second from your Linux testing host by using the swiss knife hping tool

hping3 -c 10 -S -p 80 192.168.9.14 -i u100

SYN-COOKIE
If you have chosen syn-cooki as the syn flood protection mode i.e you have the following config set.

#set security flow syn-flood-protection-mode syn-cookie

this 10 TCP SYN request will only create 3 flow sessions. Because we have attack-threshold=3 which literally instructs SRX to start syn flood protection mechanism after 3 SYNs in a second because of which you don’t see any TCP 80 session more than 3.

{primary:node0}
root@CO-A-1> show security flow session destination-port 80 summary
Valid sessions: 3  <<< Attack threshold amount
Pending sessions: 0
Invalidated sessions: 0
Sessions in other states: 0
Total sessions: 3

SYN-PROXY
However if you have the following config i.e you have chosen syn-proxy protection,

#set security flow syn-flood-protection-mode syn-proxy 

then situation is a bit different. The very same number of 10 TCP SYNs will create 10 flow sessions.

root@CO-A-1>show security flow session destination-port 80 summary
Valid sessions: 10  
Pending sessions: 0
Invalidated sessions: 0
Sessions in other states: 0
Total sessions: 10

In this mode, timeout plays an important role. Default tcp initial session timeout on SRX is 20 seconds. If you set this value to 10 as in the example, non-proxied connections i.e first 3 sessions will have 20 seconds session timeout and other 7 proxied connections will take 10 seconds session timeout.

It is up to you to decide which one to use now 🙂

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN, currently living in the Netherlands and works as a Network Support Engineer. // JNCIE-SEC #223 / RHCE / PCNSE


You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.