Table of Contents
Advertisement
RX3041H User's Manual
Field
IP Unaligned Time
Stamp
Sequence Number
Prediction Check
Sequence Number
Out of Range Check
ICMP Verbose
Maximum IP
Fragment Count
Minimum IP
Fragment Size
9.7.3.2
Configuring DoS Settings
By default, your network is protected against the attacks listed in the DoS Attack Protection List table, as
shown in Figure 9.16. You may check or uncheck individual option to enable or disable additional protection
against specific type of attack.
Description
PORT command in the FTP protocol. An attacker can establish a
connection between the FTP server machine and an arbitrary port on
another system. This connection may be used to bypass access controls
that would otherwise apply.
Check or un-check this option to enable or disable protection against
unaligned IP time stamp attack. Certain operating systems will crash if they
receive a frame with the IP timestamp option that isn't aligned on a 32-bit
boundary.
Check or un-check this option to enable or disable protection against TCP
sequence number prediction attacks. For TCP packets, sequence number is
used to guard against accidental receipt of unintended data and malicious
use by the attackers if the ISN (Initial Sequence Number) is generated
randomly. Forged packets w/ valid sequence numbers can be used to gain
trust from the receiving host. Attackers can then gain access to the
compromised system. Note that this attack affects only the TCP packets
originated or terminated at the RX3041H.
Check or un-check this option to enable or disable protection against TCP
out of range sequence number attacks. An attacker can send a TCP packet
to cause an intrusion detection system (IDS) to become unsynchronized
with the data in a connection. Subsequent frames sent in that connection
may then be ignored by the IDS. This may indicate an unsuccessful attempt
to hijack a TCP session.
Check or un-check this option to enable or disable protection against ICMP
error message attacks. ICMP messages can be used to flood your network
w/ undesired traffic. By default, this option is enabled.
Enter the maximum number of fragments the Firewall should allow for every
IP packet. This option is required if your connection to the ISP is through
PPPoE. This data is used during transmission or reception of IP fragments.
When large sized packets are sent via the RX3041H, the packets are
chopped into fragments as large as MTU (Maximum Transmission Unit). By
default, this number is set to 45. If MTU of the interface is 1500 (default for
Ethernet), then there can be a maximum of 45 fragments per IP packet. If
the MTU is less, then there can be more number of fragments and this
number should be increased.
Enter the Minimum size of IP fragments to be allowed through Firewall. This
limit will not be enforced on the last fragment of the packet. If the Internet
traffic is such that it generates many small sized fragments, this value can
be decreased. This can be found if there are lots of packet loss, degradation
in speed and if the following log message is generated very often:"fragment
of size less than configured minimum fragment size detected".
Chapter 9. Configuring Firewall/NAT Settings
67
Advertisement
Table of Contents
