Juniper SRX testcase - How to block TCP SYN packets with data/segment bytes (strict-syn-check)

SRX 'strict-syn-check' option allows for blocking split handshake [url]nmap.org/misc/split-handshake.pdf[/url] and for dropping TCP SYN packets containing data.

Code:

set security flow tcp-session strict-syn-check

According to TCP RFC 793, SYN packets take place before first data segment and FIN packets get dropped after last segment. This means that SYN packets containing data are an anomaly.

As per documentation:

Quote:

Enables the strict three-way handshake check for the TCP session. It
enhances security by dropping data packets before the three-way handshake
is done.

Testcase:
Injecting a syn packet with payload using nemesis:

Code:

# nemesis tcp -S 172.31.0.2 -D 172.31.1.2 -y 80 -fS -P /tmp/1300b -FD
# wc -c /tmp/1300b
    1324 /tmp/1300b

Code:

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:  make_nsp_ready_no_resolve()

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:  route lookup: dest-ip 172.31.0.2 orig ifp vlan.210 output_ifp vlan.210 orig-zone 8 out-zone 8 vsd 0

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:  route to 172.31.0.2

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:no need update ha

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:Installing c2s NP session wing

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:  flow got session.

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:  flow session id 27542

Jun 14 20:19:06 20:19:06.286006:CID-0:RT: vector bits 0x6 vector 0x4a56aa60

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:ttl vector, out_tunnel = 0x50ba7f08

Jun 14 20:19:06 20:19:06.286006:CID-0:RT: tcp strict 3way handshake check: tcp flag 0x2, datalen=1324

Jun 14 20:19:06 20:19:06.286006:CID-0:RT: tcp 3way handshake check fail

Jun 14 20:19:06 20:19:06.286006:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

Few notes on the above debug info:
- 172.31.0.2 is the source IP
- flag 0x2 = 2 power 1 = SYN flag packet containing 1324 bytes of data, as seen in the table below

Code:

            |C|E|U|A|P|R|S|F|
            |---------------|
            |7 6 5 4 3 2 1 0|

- strict syn check fails.

Topics related to - "Juniper SRX testcase - How to block TCP SYN packets with data/segment bytes (strict-syn-check)"

Topics

Author

Replies

Views

Last post

Juniper SRX NAT64 behavior in relation to DF (Don’t Fragment) bit on incoming IPv4 packets

admin

2818

Thu Mar 10, 2016 11:31 am

admin

Juniper SRX - How to perform source nat on Junos self originated packets - Junos 11.4

debuser

3407

Sun Jun 03, 2012 3:46 pm

debuser

BGP Blackhole (RTBH) with Juniper SRX firewall

mandrei99

8093

Thu May 29, 2014 6:45 am

mandrei99

Juniper SRX firewall debug: packet dropped: for self but not interested

admin

4784

Mon Jun 23, 2014 3:52 am

admin

Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic

admin

3877

Wed May 11, 2016 9:15 pm

admin

Configuring and verifying unicast reverse path filter (uRPF) on Juniper SRX

admin

5881

Fri Feb 01, 2013 12:09 pm

admin

Juniper SRX packet mode switch back to flow mode (verification)

mandrei99

7079

Tue May 28, 2013 11:10 am

mandrei99

Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

Juniper SRX testcase - How to block TCP SYN packets with data/segment bytes (strict-syn-check)

Juniper SRX testcase - How to block TCP SYN packets with data/segment bytes (strict-syn-check)