This message reports an event, not an error, and is generated on routers running the JUNOS Software with enhanced services by the Packet Forwarding Engine as it processes packets for security control in real time.
The problem related to this syslog message is described in the following sections:
The RT_SCREEN_TCP message is logged each time the packet forwarding engine detects a suspected TCP attack.
When a RT_SCREEN_TCP event occurs, a message similar to the following is reported:
RT_IDS: RT_SCREEN_TCP: Port scan! source: 220.127.116.11:31235, destination: 18.104.22.168:95, zone name: scrzone, interface name: ge-6/0/0.
RT_IDS - RT_SCREEN_TCP [email@example.com attack-name="WinNuke attack!" source-address="2000:0000:0000:0000:0000:0000:0000:0002" source-port="3240" destination-address="2001:0000:0000:0000:0000:0000:0000:0002" destination-port="139" source-zone-name="untrust" interface-name="fe-0/0/2.0"] WinNuke attack! source: 2000:0:0:0:0:0:0:2:3240, destination: 2001:0:0:0:0:0:0:2:139, zone name: untrust, interface name: fe-0/0/2.0
RT_IDS - RT_SCREEN_TCP [firstname.lastname@example.org attack-name="SYN flood!" source-address="22.214.171.124" source-port="40001" destination-address="126.96.36.199" destination-port="50010" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] SYN flood! source: 188.8.131.52:40001, destination: 184.108.40.206:50010, zone name: trustZone, interface name: ge-0/0/1.0, action: drop
RT_IDS: RT_SCREEN_TCP: No TCP flag! source: 220.127.116.11:9069, destination: 18.104.22.168:34176, zone name: external, interface name: reth0.0
RT_IDS: RT_SCREEN_TCP: SYN flood Src-IP based! source: 22.214.171.124:44724, destination: 126.96.36.199:22, zone name: outside, interface name: reth0.0
The cause of this log message may be due to several types of attack TCP packets that are detected. This is by the design of the security control set up in the packet forwarding engine. For example, security control can detect the following:
- Port scans
- SYN floods
- Lack of TCP flag in packet header
- Other known TCP attack types
Examine the following output to help determine the cause of this message:
show log messages
Look for any related events that occurred at or just before the RT_SCREEN_TCP message. For example, a recent commit may have opened up access to the device that is now allowing the TCP packets being reported.
This log message is not an error. Instead the security control design in the packet forwarding engine is reporting a detection of a possible TCP attack that has an external origin.
Perform these steps:
- Consider setting up a firewall filter to stop the suspect packets.
- Verify the source that the packets are coming from, as they may be expected.
- If further assistance is needed, open a case with your technical support representative to investigate the issue.