Junos on the SRX has a number of additional configuration options that can enhance protection against a range of basic security threats. These are configurable under the screens configuration and cover ICMP, IP, TCP, and UDP.
Here are some example configuration options provided by Juniper:
set security screen ids-option screen-config icmp ip-sweep threshold 1000 set security screen ids-option screen-config icmp fragment set security screen ids-option screen-config icmp large set security screen ids-option screen-config icmp flood threshold 200 set security screen ids-option screen-config icmp ping-death set security screen ids-option screen-config ip bad-option set security screen ids-option screen-config ip stream-option set security screen ids-option screen-config ip spoofing set security screen ids-option screen-config ip strict-source-route-option set security screen ids-option screen-config ip unknown-protocol set security screen ids-option screen-config ip tear-drop set security screen ids-option screen-config tcp syn-fin set security screen ids-option screen-config tcp tcp-no-flag set security screen ids-option screen-config tcp syn-frag set security screen ids-option screen-config tcp port-scan threshold 1000 set security screen ids-option screen-config tcp syn-ack-ack-proxy threshold 500 set security screen ids-option screen-config tcp syn-flood alarm-threshold 500 set security screen ids-option screen-config tcp syn-flood attack-threshold 500 set security screen ids-option screen-config tcp syn-flood source-threshold 50 set security screen ids-option screen-config tcp syn-flood destination-threshold 1000 set security screen ids-option screen-config tcp syn-flood timeout 10 set security screen ids-option screen-config tcp land set security screen ids-option screen-config tcp winnuke set security screen ids-option screen-config tcp tcp-sweep threshold 1000 set security screen ids-option screen-config udp flood threshold 500 set security screen ids-option screen-config udp udp-sweep threshold 1000 set security zones security-zone untrust screen screen-config
The IDS profiles must then be attached to the relevant security zone.
set security zones security-zone untrust screen screen-config
The following setting can be used to generate an alarm and allow the packet, to allow tuning of the parameters:
alarm-without-drop;
This should then be reversed to enable packet dropping of packets that meet the thresholds defined.
November 29, 2020