[j-nsp] SRX: rate-limiting source NAT sources

[Pavel Lunin]

30.10.2012 01:55, Jonathan Lassoff wrote:
> Specific sources are mapped via NAT rules to specific egress IPs (for
> IP filtering in some places, outside of the SRXes in question).
>
> And once in a while, some endpoint will have a legitimate need to open
> up *many* connections (and then NAT states) that pass over this SRX
> deployment.
> Unfortunately, the rate of connection establishment relative to the
> application timeouts means that these heavy users can use up all of
> the ephemeral ports, blocking new flows from becoming established.
Looks like session-limit SCREEN options is what you need:
http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/security/topic-43929.html

It's applied per-zone, so if you want to apply different limits to
different NAT pools, you need to put users of different pools into
different zones. Otherwise you only can have a single setting for all
(maybe not that big issue).

Older JUNOS version (10.1 at least, don't know when it's changed but
looks like it did) applied source and dst-limits in a bunch, so if you
needed to only limit per-src you also had to explicitly configure
dst-limit to the maximum number (which is platform dependent) otherwise
it would be applied with a very low default value. As of my quick check
with 11.4, looks like it is changed and you can apply per-src and don't
care per-dst, but I might be missing something, so you'd rather test it.

It's maybe a good idea to also limit the rate of new sessions per second
with tcp-syn knob. Be careful, most default screen option values are for
server-side protection and very very rough, so completely inapplicable
in you case and must be adjusted for each particular scenario.

Another thing you might find useful is called aggressive-aging:
http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/security/index.html?topic-60842.htm