should juniper make a mistake on process ?

We have made a few test about UDP flood attack
We have set up Screen UDP thresold limit to 50K and we have put a firewall term which block the ip address of attacker.
we have checked what if the term is working or not , it is working. Attacker pc could not ping the victim pc.
Then we start to UDP flood attack which directly send 40byte packets without hiding ip address of the attack machine.
Simply codes as given below.


depending on the image given below, juniper must apply filter first then screen rules . so attacker will be blocked by the firewall term and session counter will not overflow the udp threshold.
But it does not happen.  screen counter go on blocking why ?


    xe-1/0/0 {
        description Uplink;
        unit 0 {
            family inet {
                rpf-check {
                    fail-filter rpf-filter;
                    mode loose;
                }
                filter {
                    input BlokKural;
                    output blocked.IP;
                }
                address 37.123.100.122/29;
            }
        }
    }
policy-options {
    prefix-list block.zeusCC {
        43.255.180.0/24;
        43.255.184.0/24;
        43.255.190.0/24;
        43.255.191.0/24;
        61.168.229.0/24;
        182.100.64.0/24;
        182.100.67.0/24;
        185.9.156.2/32;
        218.65.24.0/24;
    }
    prefix-list unblock.zeusCC;
}
firewall {
    family inet {
        filter BlokKural {
            term 1 {
                from {
                    prefix-list {
                        block.zeusCC;
                        unblock.zeusCC except;
                    }
                }
                then {
                    count BlockedIP;
                    syslog;
                    discard;
                }
            }
            term 2 {
                from {
                    packet-length 0-30;
                    protocol udp;
                }
                then {
                    count jova;
                    log;
                    syslog;
                    discard;
                }
            }
            term 500 {
                then accept;
            }
        }
     

Open in new window


jsec-0801.png


root@srx3600.spd.net.tr> show security screen statistics zone DisNetwork
Screen statistics:

IDS attack type                              Statistics
  ICMP flood                                 0
  UDP flood                                  590128
  TCP winnuke                                0
  TCP port scan                              0
  ICMP address sweep                         0
  TCP sweep                                  0
  UDP sweep                                  0
  IP tear drop                               0
  TCP SYN flood                              0
  IP spoofing                                0
  ICMP ping of death                         0
  IP source route option                     0
  TCP land attack                            0
  TCP SYN fragment                           0
  TCP no flag                                0
  IP unknown protocol                        0
  IP bad options                             0
  IP record route option                     0
  IP timestamp option                        0
  IP security option                         0
  IP loose source route option               0
  IP strict source route option              0
  IP stream option                           0
  ICMP fragment                              0
  ICMP large packet                          0
  TCP SYN FIN                                0
  TCP FIN no ACK                             0
  Source session limit                       0
  TCP SYN-ACK-ACK proxy                      0
  IP block fragment                          0
  Destination session limit                  0

Open in new window

FireBallITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpk_walCommented:
Please provide more details on the ingress and egress interfaces.
Am assuming xe-1/0/0 is an ingress interface facing the internet.

Have you tried changing the filter term match condition from prefix-list to source-address and see if that changes anything.

The details on FF is listed in links below:
http://kb.juniper.net/KB16685
http://www.juniper.net/techpubs/en_US/junos14.2/topics/concept/firewall-filter-types.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FireBallITAuthor Commented:
That is a result of a flood from same source ip

                                                           elay: 0/0/68
Interface: ge-0/0/1, Enabled, Link is Up
Encapsulation: Ethernet, Speed: 1000mbps
Traffic statistics:                                           Current delta
  Input bytes:                8882410078 (482358664 bps)        [473343620]
  Output bytes:                 99109988 (0 bps)                        [0]
  Input packets:               142247660 (972491 pps)             [7634523]
  Output packets:                 590560 (0 pps)                        [0]
Error statistics:
  Input errors:                        0                                [0]
  Input drops:                         0                                [0]
  Input framing errors:                0                                [0]
  Policed discards:                    0                                [0]
  L3 incompletes:                      0                                [0]
  L2 channel errors:                   0                                [0]
  L2 mismatch timeouts:                0  Carrier transiti              [0]






Next='n', Quit='q' or ESC, Freeze='f', Thaw='t', Clear='c', Interface='i'

Open in new window



Valid sessions: 112
Pending sessions: 562421
Invalidated sessions: 545656
Sessions in other states: 0
Total sessions: 1108189
Maximum sessions: 2359296

Open in new window

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.