Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual page 72

Configuring ScreenOS Devices Guide
Table 20: Security Zones Prevention using DoS (continued)
Security Zones Setting
Options
Teardrop Attack Protection
Block ICMP Fragments
Block Large ICMP Packets
Block IP Packet Fragments
Land Attack Protection
SYN-ACK-ACK Proxy Protection
Source IP-Based Session Limit
Destination IP-Based Session
Limit
Related
Documentation
48
Your Action
Select this option to send teardrop attack packets, designed to exploit vulnerabilities in the
reassembly of fragmented IP packets. In the IP header, the fragment offset field indicates
the starting position, or "offset," of the data contained in a fragmented packet relative to
the data of the original unfragmented packet. When the sum of the offset and size of one
fragmented packet differ from that of the next fragmented packet, the packets overlap,
and the server attempting to reassemble the packet can crash.
Select this option to block ICMP packets with the More Fragments flag set or with an offset
value in the offset field. ICMP packets are typically very short messages containing error
reports or network probe information. Because ICMP packets do not carry large payloads,
they should not be fragmented.
Select this option to block ICMP packets larger than 1024 bytes. ICMP packets are typically
very short messages containing error reports or network probe information; a large ICMP
packet is suspicious.
Select this option to block IP fragments destined for interfaces in the security zone. As
packets traverse different networks, it is sometimes necessary to break a packet into smaller
pieces (fragments) based upon the maximum transmission unit (MTU) of each network.
Attackers can use IP fragments to exploit vulnerabilities in the packet reassembly code of
specific IP stack implementations.
Select this option to block SYN floods and IP spoofing combinations. Attackers can initiate
a land attack by sending spoofed SYN packets that contain the IP address of the target as
both the destination and source IP address. The target responds by sending the SYN-ACK
packet to itself, creating an empty connection that lasts until the idle timeout value is
reached; in time, these empty connections overwhelm the system.
Select this option and configure a threshold to prevent SYN-ACK-ACK sessions from flooding
the security device session table. After successfully receiving a login prompt from the security
device, attackers can continue initiating SYN-ACK-ACK sessions, flooding the security device
session table and causing the device to reject legitimate connection requests. When proxy
protection is enabled and the number of connections from the same IP address reaches
the SYN-ACK-ACK proxy threshold, the security device rejects further connection requests
from that IP address. By default, the threshold is 512 connections from any single IP address;
you can customize this threshold (1 to 250,000) to meet your networking requirements.
Select this option and configure a threshold to limit the number of concurrent sessions from
the same source IP address. The default threshold is 128 sessions; you can customize this
threshold to meet your networking requirements.
Select this option and configure a threshold to limit the number of concurrent sessions to
the same destination IP address. The default threshold is 128 sessions; you can customize
this threshold to meet your networking requirements.
IP and TCP/IP Anomaly Detection on page 45
Protection Against Scans, Spoofs, and Sweeps on page 44
Predefined Screen Options Overview on page 40
Copyright © 2010, Juniper Networks, Inc.