[j-nsp] SRX Screen not working

Luca Salvatore Luca at ninefold.com
Wed May 29 20:41:49 EDT 2013


Hi,
I have a sceen applied to my untrust zone which limits the amout of sessions to a destination IP address to 10,000.  The config is below:

"set security screen ids-option untrust-screen limit-session destination-ip-based 10000"

However, we recently had an attack on one of our customers where there was around 400,000 sessions to a single IP address, as shown:

show security flow session summary destination-prefix 202.x.x.x
node1:
--------------------------------------------------------------------------

Valid sessions: 5
Pending sessions: 3
Invalidated sessions: 384356
Sessions in other states: 0
Total sessions: 384364

Any idea why the screen wasn't blocking this?
It is applied to the untrust zone, and it does block traffic such as port scans and sweeps, however in this case nothing happened.

Thanks,


More information about the juniper-nsp mailing list