Ip And Tcp/Ip Anomaly Detection - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual
Configuring screenos devices guide
Hide thumbs
Also See for NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01:
- Manual (340 pages) ,
- Administration manual (1026 pages) ,
- Installation manual (244 pages)
Table of Contents
Advertisement
Table 17: Detection and Blocking Settings
Detection and Blocking Settings
IP Address Spoof Protection
IP Address Sweep Protection
Port Scan Protection
Related
Documentation
IP and TCP/IP Anomaly Detection
Copyright © 2010, Juniper Networks, Inc.
Description
Attackers can insert a bogus source address in a packet header to make the packet
appear to come from a trusted source. When the interfaces in the zone operate in
Route or NAT mode, the security device relies on route table entries to identify IP
spoofing attempts. When the interfaces in the zone operate in Transparent mode,
the security device relies on address book entries to identify IP spoofing attempts.
To enable interface-based IP spoofing protection, configure the security device
to drop packets that have source IP addresses that do not appear in the route
table.
To enable zone-based IP spoofing protection (supported on devices running
ScreenOS 5.2), configure the security device to drop packets whose source IP
addresses do not appear in the selected zone. If you are routing traffic between
two interfaces in the same zone, you should leave this option disabled
(unchecked).
An address sweep occurs when one source IP address sends 10 ICMP packets to
different hosts within a defined interval. If a host responds with an echo request,
attackers have successfully discovered a target IP address. You can configure the
security device to monitor ICMP packets from one remote source to multiple
addresses. For example, if a remote host sends ICMP traffic to 10 addresses in 0.005
seconds (5000 microseconds), the security device rejects the 11th and all further
ICMP packets from that host for the remainder of that second.
A port scan occurs when one source IP address sends IP packets containing TCP
SYN segments to 10 different ports at the same destination IP address within a
defined interval (5000 microseconds is the default). If a port responds with an
available service, attackers have discovered a service to target. You can configure
the security device to monitor TCP SYN segments from one remote source to multiple
addresses. For example, if a remote host scans 10 ports in 0.005 seconds (5000
microseconds), the security device rejects all further packets from the remote source
for the remainder of that second.
Configuring Flood Defense Settings for Preventing Attacks on page 41
IP and TCP/IP Anomaly Detection on page 45
Prevention of Security Zones Using Denial of Service Attacks on page 47
The Internet Protocol standard RFC 791, Internet Protocol specifies a set of eight options
that provide special routing controls, diagnostic tools, and security. Attackers can
misconfigure IP options to evade detection mechanisms and/or perform reconnaissance
on a network.
To detect (and block) anomalous IP fragments as they pass through the zone, configure
the settings as described in Table 18 on page 46.
Chapter 3: Network Settings
45
Advertisement
Table of Contents
