6.5.4 Ensure TCP SYN/FIN is Set to Drop


TCP Segments which have both the SYN and FIN flags set should be dropped.


TCP packets that have both SYN and FIN flags set are sometimes used by attackers to bypass Intrusion Detection Systems and Firewalls or to directly attack hosts on the target network. If patches are up-to-date then most systems are no longer vulnerable to this technique; however, there is no valid reason for a packet to contain both SYN and FIN flags, so such traffic is almost certainly malicious or the result of an error and should never be processed.


There is no valid reason for a TCP Segment to have both SYN and FIN flags set.


Configure the router to drop TCP Segments containing both SYN and FIN flags by issuing the following command from the [edit system internet-options] hierarchy.

[edit system internet-options]
user@host#set tcp-drop-synfin-set

Default Value:

By default JUNOS does not drop TCP packets with both TCP SYN and FIN flags set.

See Also


Item Details


References: 800-53|CM-6, CSCv7|11

Plugin: Juniper

Control ID: 30a0f592edec8cc93638cdb13136c1e2235cdf84aea7dbb3ba7b74a12380abf4