I have a Pulse Secure SSLVPN behind my Juniper SRX240 and I'm trying to figure out how to block SYN packets on existing sessions as described in this KB article from Pulse Secure. Can anyone clue me in on how to do this?
Hi , syn-check and sequence-check is enabled by default.
You can disable it via
set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check
Configuring these options will make the SRX as good as a stateless device and it is more vulnerable.
Not sure how this will prevent SRX from dropping the unwanted SYN packet, I belive with these options SRX will accept the SYN
To block the SYN attack as described in the document you have shared you may need SYN-Flood screen, please check below documents.
As already mentioned , this option (block syn packets ) is enabled by default , and you do not need to configure anything
The article mentions that the attackers will inject TCP SYN or RST messages, on ongoing TCP connections, that will look as legitimate packets from those TCP streams (including sequence numbers becuase they were already guessed by the attackers.)
If this is the case, if the attacker sends a RST, the SRX will reset the connection and close the TCP session becasue it looks like a legitimate RST message from the source. Now, If the attacker sends a SYN message, the SRX will notice that there is an already exisiting session that matches the characteristics of this packet and will drop the new packet becuase this packet is trying to create a new session but there is already an ongoing one.
I believe the TCP checks mentioned in above posts are for different scenarios.