- play_arrow Overview
- play_arrow Next Gen Services Overview
- play_arrow Configuration Overview
- Configuration Differences Between Adaptive Services and Next Gen Services on the MX-SPC3
- Next Gen Services Feature Configuration Overview
- How to Configure Services Interfaces for Next Gen Services
- How to Configure Interface-Style Service Sets for Next Gen Services
- How to Configure Next-Hop Style Service Sets for Next Gen Services
- How to Configure Service Set Limits for Next Gen Services
- Example: Next Gen Services Inter-Chassis Stateful High Availability for NAT and Stateful Firewall (MX-SPC3)
- Example: Configuring AutoVPN with Pre-Shared Key
- Enabling and Disabling Next Gen Services
- play_arrow Global System Logging Overview and Configuration
- Understanding Next Gen Services CGNAT Global System Logging
- Enabling Global System Logging for Next Gen Services
- Configuring Local System Logging for Next Gen Services
- Configuring System Logging to One or More Remote Servers for Next Gen Services
- System Log Error Messages for Next Gen Services
- Configuring Syslog Events for NAT Rule Conditions with Next Gen Services
- play_arrow Next Gen Services SNMP MIBS and Traps
-
- play_arrow Carrier Grade NAT (CGNAT)
- play_arrow Deterministic NAT Overview and Configuration
- play_arrow Dynamic Address-Only Source NAT Overview and Configuration
- play_arrow Network Address Port Translation Overview and Configuration
- play_arrow NAT46
- play_arrow Stateful NAT64 Overview and Configuration
- play_arrow IPv4 Connectivity Across IPv6-Only Network Using 464XLAT Overview and Configuration
- play_arrow IPv6 NAT Protocol Translation (NAT PT)
- play_arrow Stateless Source Network Prefix Translation for IPv6 Overview and Configuration
- play_arrow Transitioning to IPv6 Using Softwires
- play_arrow Transitioning to IPv6 Using DS-Lite Softwires
- play_arrow Reducing Traffic and Bandwidth Requirements Using Port Control Protocol
- play_arrow Transitioning to IPv6 Using Mapping of Address and Port with Encapsulation (MAP-E)
- play_arrow Monitoring and Troubleshooting Softwires
- play_arrow Port Forwarding Overview and Configuration
- play_arrow Port Translation Features Overview and Configuration
- play_arrow Static Source NAT Overview and Configuration
- play_arrow Static Destination NAT Overview and Configuration
- play_arrow Twice NAPT Overview and Configuration
- play_arrow Twice NAT Overview and Configuration
- play_arrow Class of Service Overview and Configuration
-
- play_arrow Stateful Firewall Services
- play_arrow Stateful Firewall Services Overview and Configuration
-
- play_arrow Traffic Load Balancing
- play_arrow Traffic Load Balancing Overview and Configuration
-
- play_arrow DNS Request Filtering
- play_arrow DNS Request Filtering Overview and Configuration
-
- play_arrow URL Filtering
- play_arrow URL Filtering
-
- play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
- play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
-
- play_arrow Aggregated Multiservices Interfaces
- play_arrow Enabling Load Balancing and High Availability Using Multiservices Interfaces
-
- play_arrow Inter-Chassis Services PIC High Availability
- play_arrow Inter-Chassis Services PIC High Availability Overview and Configuration
- Next Gen Services Inter-chassis High Availability Overview for NAT, Stateful Firewall, and IDS Flows
- Inter-Chassis Stateful Synchronization for Long Lived NAT, Stateful Firewall, and IDS Flows for Next Gen Services
- Inter-Chassis Services Redundancy Overview for Next Gen Services
- Configuring Inter-Chassis Services Redundancy for Next Gen Services
-
- play_arrow Application Layer Gateways
- play_arrow Enabling Traffic to Pass Securely Using Application Layer Gateways
-
- play_arrow NAT, Stateful Firewall, and IDS Flows
- play_arrow Inline NAT Services Overview and Configuration
-
- play_arrow Configuration Statements
Understanding IDS Screens for Network Attack Protection
Intrusion Detection Services
Intrusion detection services (IDS) screens give you a way to identify and drop traffic that is part of a network attack.
In an IDS screen, you can specify:
The limits on the number of sessions that originate from individual sources or that terminate at individual destinations
The types of suspicious packets
You can also choose to log an alarm when an IDS screen identifies a packet, rather than drop the packet.
In addition to IDS screens, you can use firewall filters and policers to stop illegal TCP flags and other bad flag combinations, and to specify general rate limiting (see the Routing Policies, Firewall Filters, and Traffic Policers User Guide). IDS screens add a more granular level of filtering.
Use firewall filters and stateful firewall filters to filter out traffic that does not need to be processed by an IDS screen.
Session Limits
You can use IDS screens to set session limits for traffic from an individual source or to an individual destination. This protects against network probing and flooding attacks. Traffic that exceeds the session limits is dropped. You can specify session limits either for traffic with a particular IP protocol, such as ICMP, or for traffic in general.
You decide whether the limits apply to individual addresses or to an aggregation of traffic from individual subnets of a particular prefix length. For example, if you aggregate limits for IPv4 subnets with a prefix length of 24, traffic from 192.0.2.2 and 192.0.2.3 is counted against the limits for the 192.0.2.0/24 subnet.
Some common network probing and flooding attacks that session limits protect against include:
| ICMP Address Sweep | The attacker sends ICMP request probes (pings) to multiple targets. If a target machine replies, the attacker receives the IP address of the target. |
| ICMP Flood | The attacker floods a target machine by sending a large number of ICMP packets from one or more source IP addresses. The target machine uses up its resources as it attempts to process those ICMP packets, and then it can no longer process valid traffic. |
| TCP Port Scan | The attacker sends TCP SYN packets from one source to multiple destination ports of the target machine. If the target replies with a SYN-ACK from one or more destination ports, the attacker learns which ports are open on the target. |
| TCP SYN Flood | The attacker floods a target machine by sending a large number of TCP SYN packets from one or more source IP addresses. The attacker might use real source IP addresses, which results in a completed TCP connection, or might use fake source IP addresses, resulting in the TCP connection not being completed. The target creates states for all the completed and incomplete TCP connections. The target uses up its resources as it attempts to manage the connection states, and then it can no longer process valid traffic. |
| UDP Flood | The attacker floods a target machine by sending a large number of UDP packets from one or more source IP addresses. The target machine uses up its resources as it attempts to process those UDP packets, and then it can no longer process valid traffic. |
Session limits for traffic from a source or to a destination include:
maximum number of concurrent sessions
maximum number of packets per second
maximum number of connections per second
IDS screens also install a dynamic filter on the PFEs of line cards for suspicious activity when the following conditions occur:
Either the packets per second or the number of connections per second for an individual source or destination address exceeds four times the session limit in the IDS screen. (Dynamic filters are not created from IDS screens that use subnet aggregation.)
The services card CPU utilization percentage exceeds a configured value (default value is 90 percent).
The dynamic filter drops the suspicious traffic at the PFE, without the traffic being processed by the IDS screen. When the packet or connection rate no longer exceeds four times the limit in the IDS screen, the dynamic filter is removed.
Suspicious Packet Patterns
You can use IDS screens to identify and drop traffic with a suspicious packet pattern. This protects against attackers that craft unusual packets to launch denial-of-service attacks.
Suspicious packet patterns and attacks that you can specify in an IDS screen are:
| ICMP fragmentation attack | The attacker sends the target ICMP packets that are IP fragments. These are considered suspicious packets because ICMP packets are usually short. When the target receives these packets, the results can range from processing packets incorrectly to crashing the entire system. |
| Malformed ICMPv6 packets | Malformed ICMPv6 packets can cause damage to the device and network. Examples of malformed IPv6 packets are packets that are too big (message type 2), that have the next header set to routing (43), or that have a routing header set to hop-by hop. |
| ICMP large packet attack | The attacker sends the target ICMP frames with an IP length greater than 1024 bytes. These are considered suspicious packets because most ICMP messages are small. |
| Ping of death attack | The attacker sends the target ICMP ping packets whose IP datagram length (ip_len) exceeds the maximum legal length (65,535 bytes) for IP packets, and the packet is fragmented. When the target attempts to reassemble the IP packets, a buffer overflow might occur, resulting in a system crashing, freezing, and restarting. |
| Bad option attack | The attacker sends the target packets with incorrectly formatted IPv4 options or IPv6 extension headers. This can cause unpredictable issues, depending on the IP stack implementation of routers and the target. |
| Fragmented IP packets | IP fragments might contain an attacker's attempt to exploit the vulnerabilities in the packet reassembly code of specific IP stack implementations. When the target receives these packets, the results can range from processing the packets incorrectly to crashing the entire system. |
| IPv6 extension headers | Attackers can maliciously use extension headers for denial-of-service attacks or to bypass filters. |
| IPv4 options | Attackers can maliciously use IPv4 options for denial-of-service attacks. |
| IP teardrop attack | The attacker sends the target fragmented IP packets that overlap. The target machine uses up its resources as it attempts to reassemble the packets, and then it can no longer process valid traffic. |
| IP unknown protocol attack | The attacker sends the target packets with protocol numbers greater than 137 for IPv4 and 139 for IPv6. An unknown protocol might be malicious. |
| TCP FIN No ACK attack | The attacker sends the target TCP packets that have the FIN bit set but have the ACK bit unset. This can allow the attacker to identify the operating system of the target or to identify open ports on the target. |
| Land attack | The attacker sends the target spoofed SYN packets that contain the target’s IP address as both the destination and the source IP address. The target uses up its resources as it repeatedly replies to itself. In another variation of the land attack, the SYN packets also contain the same source and destination ports. |
| TCP SYN ACK ACK attack | The attacker initiates Telnet or FTP connections with the target without completing the connections. The target’s session table can fill up, resulting in the device rejecting legitimate connection requests. |
| TCP SYN FIN attack | The attacker sends the target TCP packets that have both the SYN and the FIN bits set. This can cause unpredictable behavior on the target, depending on its TCP stack implementation. |
| SYN fragment attack | The attacker sends the target SYN packet fragments. The target caches SYN fragments, waiting for the remaining fragments to arrive so it can reassemble them and complete the connection. A flood of SYN fragments eventually fills the host’s memory buffer, preventing valid traffic connections. |
| TCP no flag attack | The attacker sends the target TCP packets containing no flags. This can cause unpredictable behavior on the target, depending on its TCP stack implementation. |
| TCP WinNuke attack | The attacker sends a TCP segment with the urgent (URG) flag set and destined for port 139 of a target running Windows. This might cause the target machine to crash. |
