[j-nsp] SYN/FIN ratio
Phil Shafer
phil at juniper.net
Sat Feb 27 15:28:50 EST 2010
Pavel Lunin writes:
>I tried to test it myself on a couple of enterprise edge routers,
>forwarding just about 30 Mbps each, and got quite stable value of
>FIN/SYN ratio -- approx 90%. RST number is about 1.5% of SYNs.
Be aware that "tcp-flags" looks at the bits at a fixed offset in
the packet without checking to see that the packet is TCP. This
allows the protocol check to be performed once manually in a filter
chain instead of checking it automatically all the time, but it
does cause some confusion.
The fix is to add at the top of your filter:
term accept-non-tcp {
from {
protocol-except tcp;
}
then accept;
}
Also you may want to use:
tcp-flags "syn & !ack";
in term SYN to match only connection requests.
Thanks,
Phil
More information about the juniper-nsp
mailing list