Checking for SYN flags can also prevent attackers from using IP source route options to hide their true address and access restricted areas of a network by specifying a different path. TCP SYN checking is on by default.
|
Before You Begin |
|---|
|
For background information, read Understanding Attacker Evasion Techniques. |
To detect and record, but not block, packets with a loose or strict source route option set, use the JUNOS CLI configuration editor.
- user@host# set security screen ip-loose-src-route ip
loose-source-route-option
- user@host# set security screen ip-strict-src-route
ip strict-source-route-option
- user@host# set security zones security-zone zone screen
ip-strict-src-route