Have faith and stem the flood of SYNers

In my previous post I showed what a SYN flood and SYN scan was. The ability to determine open ports rather silently and not trigger alarms may have raised the eyebrows of some. I mentioned that Stateful Packet Inspection and Firewalls can stop this. Certain logging applications can alarm on SYN and SYN/ACK without an ACK.

Queue holy music and the clouds parting. Today I will deploy some protection with the SRX110. So without a screen this is what happens when I launch a SYN scan against my SRX. Time to fight back.

Fight back against the SYNners

Fight back against the SYNners

dreamspike:~ pandom_$ sudo nmap -sS 
Starting Nmap 6.25 ( http://nmap.org ) at 2012-12-20 21:28 EST
Nmap scan report for
Host is up (0.0029s latency).
Not shown: 999 filtered ports
22/tcp open  ssh
MAC Address: B0:A8:6E:66:E2:00 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 4.77 seconds
dreamspike:~ pandom_$

As you can see you can see the service that is running on it. Good old SSH. Well I don’t want people to just scan my untrusted interface and decipher what is running. I am going to ensure that I can control the amount of information I give up freely. I am not going down without a fight.

The following screen can be put in place. I have applied it to my untrust security zone.

set security screen ids-option untrust-screen tcp syn-flood

Now to check and confirm configuration.

[email protected]> show configuration security screen ids-option untrust-screen 
icmp {
ip {
tcp {
    syn-ack-ack-proxy threshold 100;

Okay. Lets launch nmap again. How do you think this will go?

telaranrhiod:~ pandom$ sudo nmap -sS

Starting Nmap 6.25 ( http://nmap.org ) at 2012-12-21 09:45 EST
Nmap scan report for
Host is up (0.0041s latency).
Not shown: 792 filtered ports
4/tcp     open  unknown
7/tcp     open  echo
9/tcp     open  discard
22/tcp    open  ssh
32/tcp    open  unknown
37/tcp    open  time
43/tcp    open  whois
70/tcp    open  gopher
89/tcp    open  su-mit-tg
161/tcp   open  snmp
254/tcp   open  unknown
264/tcp   open  bgmp
301/tcp   open  unknown
407/tcp   open  timbuktu
417/tcp   open  onmux
512/tcp   open  exec
544/tcp   open  kshell
545/tcp   open  ekshell
631/tcp   open  ipp
666/tcp   open  doom
668/tcp   open  mecomm
687/tcp   open  asipregistry
691/tcp   open  resvc
705/tcp   open  agentx
714/tcp   open  iris-xpcs
720/tcp   open  unknown
722/tcp   open  unknown
783/tcp   open  spamassassin
900/tcp   open  omginitialrefs
1021/tcp  open  exp1
1022/tcp  open  exp2
1028/tcp  open  unknown
1031/tcp  open  iad2
1033/tcp  open  netinfo
1034/tcp  open  zincite-a
1036/tcp  open  nsstp
1040/tcp  open  netsaint
1042/tcp  open  afrog
1045/tcp  open  fpitp
1049/tcp  open  td-postman
1052/tcp  open  ddt
1056/tcp  open  vfo
1062/tcp  open  veracity
1065/tcp  open  syscomlan
1067/tcp  open  instl_boots
1068/tcp  open  instl_bootc
1071/tcp  open  bsquare-voip
1082/tcp  open  amt-esd-prot
1084/tcp  open  ansoft-lm-2
1090/tcp  open  ff-fms
1121/tcp  open  rmpp
1124/tcp  open  hpvmmcontrol
1151/tcp  open  unizensus
1187/tcp  open  alias
1199/tcp  open  dmidi
1213/tcp  open  mpc-lifenet
1236/tcp  open  bvcontrol
1272/tcp  open  cspmlockmgr
1461/tcp  open  ibm_wrless_lan
1521/tcp  open  oracle
1580/tcp  open  tn-tl-r1
1583/tcp  open  simbaexpress
1700/tcp  open  mps-raft
1717/tcp  open  fj-hdnet
1719/tcp  open  h323gatestat
1721/tcp  open  caicci
1801/tcp  open  msmq
1812/tcp  open  radius
1862/tcp  open  mysql-cm-agent
1863/tcp  open  msnp
1900/tcp  open  upnp
1914/tcp  open  elm-momentum
1974/tcp  open  drp
1999/tcp  open  tcp-id-port
2000/tcp  open  cisco-sccp
2010/tcp  open  search
2020/tcp  open  xinupageserver
2035/tcp  open  imsldoc
2045/tcp  open  cdfunc
2046/tcp  open  sdfunc
2048/tcp  open  dls-monitor
2068/tcp  open  advocentkvm
2100/tcp  open  amiganetfs
2103/tcp  open  zephyr-clt
2107/tcp  open  msmq-mgmt
2179/tcp  open  vmrdp
2190/tcp  open  tivoconnect
2288/tcp  open  netml
2366/tcp  open  qip-login
2710/tcp  open  sso-service
2875/tcp  open  dxmessagebase2
2910/tcp  open  tdaccess
2968/tcp  open  enpp
3005/tcp  open  deslogin
3017/tcp  open  event_listener
3077/tcp  open  orbix-loc-ssl
3128/tcp  open  squid-http
3211/tcp  open  avsecuremgmt
3300/tcp  open  unknown
3323/tcp  open  active-net
3372/tcp  open  msdtc
3390/tcp  open  dsc
3690/tcp  open  svn
3784/tcp  open  bfd-control
3827/tcp  open  netmpi
3871/tcp  open  avocent-adsap
3878/tcp  open  fotogcad
3889/tcp  open  dandv-tester
3945/tcp  open  emcads
4002/tcp  open  mlchat-proxy
4126/tcp  open  ddrepl
4279/tcp  open  vrml-multi-use
4444/tcp  open  krb524
4445/tcp  open  upnotifyp
4446/tcp  open  n1-fwp
4567/tcp  open  tram
4899/tcp  open  radmin
5000/tcp  open  upnp
5001/tcp  open  commplex-link
5003/tcp  open  filemaker
5009/tcp  open  airport-admin
5054/tcp  open  rlm-admin
5087/tcp  open  unknown
5200/tcp  open  targus-getdata
5214/tcp  open  unknown
5226/tcp  open  hp-status
5405/tcp  open  pcduo
5431/tcp  open  park-agent
5500/tcp  open  hotline
5550/tcp  open  sdadmind
5560/tcp  open  isqlplus
5631/tcp  open  pcanywheredata
5633/tcp  open  beorl
5678/tcp  open  rrac
5801/tcp  open  vnc-http-1
5859/tcp  open  wherehoo
5862/tcp  open  unknown
6004/tcp  open  X11:4
6006/tcp  open  X11:6
6100/tcp  open  synchronet-db
6123/tcp  open  backup-express
6510/tcp  open  mcer-port
6580/tcp  open  parsec-master
6646/tcp  open  unknown
6667/tcp  open  irc
6692/tcp  open  unknown
6788/tcp  open  smc-http
7004/tcp  open  afs3-kaserver
7103/tcp  open  unknown
7106/tcp  open  unknown
7201/tcp  open  dlip
7443/tcp  open  oracleas-https
7741/tcp  open  scriptview
7800/tcp  open  asr
7938/tcp  open  lgtomapper
8011/tcp  open  unknown
8021/tcp  open  ftp-proxy
8022/tcp  open  oa-system
8081/tcp  open  blackice-icecap
8085/tcp  open  unknown
8090/tcp  open  unknown
8222/tcp  open  unknown
8333/tcp  open  unknown
8443/tcp  open  https-alt
8701/tcp  open  unknown
8899/tcp  open  ospf-lite
8994/tcp  open  unknown
9050/tcp  open  tor-socks
9080/tcp  open  glrpc
9207/tcp  open  wap-vcal-s
9290/tcp  open  unknown
9418/tcp  open  git
9502/tcp  open  unknown
9535/tcp  open  man
9593/tcp  open  cba8
9618/tcp  open  condor
9929/tcp  open  nping-echo
10012/tcp open  unknown
10566/tcp open  unknown
11111/tcp open  vce
13782/tcp open  netbackup
15004/tcp open  unknown
15742/tcp open  unknown
16080/tcp open  osxwebadmin
16992/tcp open  amt-soap-http
19283/tcp open  keysrvr
19350/tcp open  unknown
19842/tcp open  unknown
20222/tcp open  ipulse-ics
24800/tcp open  unknown
25735/tcp open  unknown
27353/tcp open  unknown
27715/tcp open  unknown
30000/tcp open  unknown
30951/tcp open  unknown
31038/tcp open  unknown
32769/tcp open  filenet-rpc
32777/tcp open  sometimes-rpc17
34573/tcp open  unknown
35500/tcp open  unknown
48080/tcp open  unknown
49154/tcp open  unknown
49400/tcp open  compaqdiag
51103/tcp open  unknown
52848/tcp open  unknown
54045/tcp open  unknown
56737/tcp open  unknown
65129/tcp open  unknown
MAC Address: B0:A8:6E:66:E2:00 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 34.67 seconds
telaranrhiod:~ pandom$

Phwoar. Look at all the breadcrumbs and honeypots. If that was the response I got from a scan I’d be shaking my head. Where to start? What vulnerability to address? For an attacker, the return on investment is money vs time. How much money will they get for the time they spend attacking? The results above will slow an attacker down. Remember though, this is NOT the only way to discover ports. This may be the quietest way but certainly not the only way.

[email protected]> show security screen statistics zone untrust               
Screen statistics:

IDS attack type                              Statistics
  ICMP flood                                 0
  UDP flood                                  0
  TCP winnuke                                0
  TCP port scan                              0
  ICMP address sweep                         0
  TCP sweep                                  0
  UDP sweep                                  0
  IP tear drop                               0
  TCP SYN flood                              13377
  IP spoofing                                0
  ICMP ping of death                         0
  IP source route option                     0
  TCP land attack                            0
  TCP SYN fragment                           0
  TCP no flag                                0
  IP unknown protocol                        0
  IP bad options                             0
  IP record route option                     0
  IP timestamp option                        0
  IP security option                         0
  IP loose source route option               0
  IP strict source route option              0
  IP stream option                           0
  ICMP fragment                              0
  ICMP large packet                          0
  TCP SYN FIN                                0
  TCP FIN no ACK                             0
  Source session limit                       0
  TCP SYN-ACK-ACK proxy                      0
  IP block fragment                          0
  Destination session limit                  0

Above output shows 13377 hits of SYN SYN/ACK without an ACK have occurred on the untrust screen. Verification is important but also Controlling options is paramount. You must remember that understanding what traverses your network is critical to understanding security risks and mitigating them.

A security engineer must consider that illegitimate TCP SYN requests en masse constitutes a denial of service attack. To accurately control traffic without dropping legitimate TCP sessions an understanding of expected TCP session is important.

The SRX has many options to control SYN floods under the screens particular option. They range from source and destination to attack thresholds. It is important to understand the difference. Source and Destination thresholds can be very bad. They will drop any TCP session, legitimate or illegitimate, once the threshold is reached. The difference between Source and Destination and attack thresholds is the following. An attack threshold, once reached, will proxy SYN-ACK replies to SYN requests to an attempt to determine legitimate TCP connections.

Now let us look at the system defaults before we go change stuff. Juniper has applied these defaults for the SRX110. These change per platform.

[email protected]> show security screen ids-option untrust-screen 
Screen object status:

Name                                         Value
  IP tear drop                               enabled    
  TCP SYN flood attack threshold             200        
  TCP SYN flood alarm threshold              512        
  TCP SYN flood source threshold             4000       
  TCP SYN flood destination threshold        50         
  TCP SYN flood timeout                      20         
  ICMP ping of death                         enabled    
  IP source route option                     enabled    
  TCP land attack                            enabled    
  TCP SYN-ACK-ACK proxy threshold            100

The commands above put limits on packets per second. If they need to be tweaked that can be done like below. If you are worried about half-open sessions filling up your firewalls connection table then reduce the timeout period from the default of 20 to 10.

set security screen ids-option untrust-screen tcp syn-flood timeout 10
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 1500
set security screen ids-option untrust-screen tcp syn-flood source-threshold 3200
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 8000

I cannot stress enough the importance of understanding the traffic flows and baseline information when adjusting the SYN thresholds on source and destination. Simple deployment for effective results. If you are not careful, it could be too effective. After all, a SYN flood won’t occur if you have a crippled network segment due to aggressive thresholds.

TCP SYN Scanning

The purpose of this post is to dissect what a TCP SYN scan is by digging into the TCP protocol. The notion of TCP SYN scans have been around for many years. It is something that a network engineer should understand. Countermeasures can be deployed against this type of attack enmasse although reconnaissance missions can be harder to detect.

Dig deeper

Dig deeper

Standard TCP handshake

A TCP connection established against a remote device would adhere to the following process. Being three phased, the first would be the source sends a TCP packet with the SYN flag set.


SYN flag in TCP flags field

The second phase would be the remote site responding with a TCP packet with the SYN and ACK flags set. That is if the correct port is open and the service is running.

SYN ACK flags set in TCP Flags field

SYN ACK flags set in TCP Flags field

The third phase is the source sending a TCP packet with the ACK flag on. The connection is now open.


ACK flag set in TCP Flag field

In the second phase, if the port is closed and the service is not running, a TCP packet with the RST flag set is sent back.

Reset flat set in TCP Flag field

Reset flat set in TCP Flag field

Note – My example has assumed TCP ack numbers, sequence numbers are all in corresponding order – Oh there is so much magic you can weave with packet manipulation

So what is a TCP SYN scan?

Known by many names, SYN-scanning, or Half Open scanning is where the full TCP connection is never made. SYN-scanning sends the first packet only, the one marked with the SYN flag. It waits for either a RST, ACK or SYN,ACK response. If a RST,ACK response comes in there is nothing is running on the port and issues a RST. If a SYN,ACK response is received, a service is known to be running on the port.

The benefit of TCP SYN scanning is the fact that most logging applications do not look to log TCP RST by default. They generally create a log entry in the application/device/server when the final ACK comes from the client device. Due to the fact that this ACK never comes but a RST, it can go unnoticed if a scan is taken place.

NMAP command

Understanding what you are typing into nmap and programs like it define the difference between someone who knows what they are doing and a script kiddy pushing buttons. Being someone who knows what the are doing, you clear understand how a command affects a scan or a sweep, including how it modifies or manipulates packets.

The command in nmap is simple and the results effective.

nmap -sS

Very easy. This will perform a scan across the specified device. Remember that this can be combined with a range and the wildcard * can be used on any octet.

dreamspike:~ pandom_$ sudo nmap -sS

Starting Nmap 6.25 ( http://nmap.org ) at 2012-12-20 13:29 EST
Nmap scan report for srp527w (
Host is up (0.015s latency).
Not shown: 995 closed ports
22/tcp    open  ssh
80/tcp    open  http
443/tcp   open  https
2869/tcp  open  icslap
49152/tcp open  unknown
MAC Address: 20:37:06:3A:B3:9D (Cisco Systems)

Now being on OSX, I have had to apply super user privileges to the scan so sudo is required before the nmap statement. The output we get very quickly identifies services running. I have enabled some services for demonstration purposes. If this was a security audit you may get some comments regarding the use of http.

Now I like the feature of nmap where you can scan the top 10 protocols used. This is information Fydor, creator of nmap, has collected from nmap submissions.

dreamspike:~ pandom_$ sudo nmap -top-ports 25 -sS

So it will focus on all of the top 25 ports listed in that version of nmap you use. You can see how you can add cumulative arguments to achieve very targeted results. If you think this is cool it is only the beginning.


Firewall systems understand the state of TCP connections. The also have the ability to reject stealth scan packets like what we have done above. Proxy and Stateful Packet Inspection beat these attacks. It would be advised that if you do notice oddities or to watch the logs and track down the machine. Many attacks or reconnaissance missions have been performed behind enemy lines.

Remember that there are devices and options designed to detect this. A simple IDS will note the number of RSTs coming from a host. If setup, it will email an administrator and information could be logged or captured.


Performing a nmap TCP SYN Scans against devices that are not yours or that you do not have explicit written permission to test could be illegal in your or the devices country/ies. I (Anthony Burke, networkinferno.net) will not be held accountable or liable for any damages that occur.