Checking for SYN flags can prevent attackers from using IP source route options to hide their true address and access restricted areas of a network by specifying a different path. TCP SYN checking is on by default.
|
Before You Begin |
|---|
|
For background information, read Understanding Attacker Evasion Techniques. |
To block packets with either a loose or strict source route option set, use the JUNOS CLI configuration editor. The specified security zone is the one from which the packets originated.
- user@host# set security screen ip-filter-src ip source-route-option
- user@host# set security zones security-zone zone screen
ip-filter-src