Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual page 704

Network and Security Manager Administration Guide
654
Table 58: Attack Counters (continued)
Item Description
IP Strict Src The security device blocks packets where the IP option is 9 (Strict Source
Routing). This option provides a means for the source of a packet to supply
routing information to be used by the gateways in forwarding the packet to
the destination. This option is a strict source route because the gateway or
host IP must send the datagram directly to the next address in the source
route, and only through the directly connected network indicated in the next
address to reach the next gateway or host specified in the route.
IP Stream The security device blocks packets where the IP option is 8 (Stream ID). This
option provides a way for the 16-bit SATNET stream identifier to be carried
through networks that do not support the stream concept.
ICMP Frag When the protocol field indicates ICMP packets, and the fragment flag is set
to 1 or an offset is indicated.
Large ICMP An ICMP packet with a length greater than 1024.
SYN n FIN Both the SYN and FIN flags are not normally set in the same packet. However,
an attacker can send a packet with both flags set to see what kind of system
reply is returned and thereby determine what kind of system is on the
receiving end. The attacker can then use any known system vulnerabilities
for further attacks. Enable this option to have the security device drop packets
that have both the SYN and FIN bits set in the flags field.
FIN no ACK TCP packet with a FIN set but no ACK set in the flags field.
Mal URL When you enable Malicious URL Detection, the security device monitors
each HTTP packet and detects any URL that matches any of several
user-defined patterns. The security device automatically drops any such
packet.
Limit Session Security devices can limit the number of sessions that can be established
by a single IP address. For example, session resources on a Web server can
be exhausted if there are many requests from the same client. This option
defines the maximum number of sessions the security device can establish
per second for a single IP address. (The default threshold is 128 sessions per
second per IP address.)
Block Frag As packets traverse different networks, it is sometimes necessary to break
a packet into smaller pieces (fragments) based upon the network's maximum
transmission unit (MTU). IP fragments may carry an attacker's attempt to
exploit the vulnerabilities in the packet reassembly code of specific IP stack
implementations. When the target system receives these packets, the results
range from not processing the packets correctly to crashing the entire system.
When you enable the security device to deny IP fragments on a security zone,
the security device blocks all IP packet fragments that it receives at interfaces
bound to that zone.
Zone The name of the zone associated with the attack.
Copyright © 2010, Juniper Networks, Inc.