Checking for SYN flags can prevent attackers from using IP source route options to hide their true address and access restricted areas of a network by specifying a different path. TCP SYN checking is on by default.
Before You Begin |
---|
For background information, read Understanding Attacker Evasion Techniques. |
You can use either J-Web or the CLI configuration editor to block packets with either a loose or strict source route option set. The specified security zone is the one from which the packets originated.
This topic covers:
To configure screens:
To configure zones:
- user@host# set security screen ids-option
ip-filter-src ip source-route-option
- user@host# set security zones security-zone
zone screen ip-filter-src