Checking for SYN flags can also prevent attackers from using IP source route options to hide their true address and access restricted areas of a network by specifying a different path. TCP SYN checking is on by default.
Before You Begin |
---|
For background information, read Understanding Attacker Evasion Techniques. |
You can use either J-Web or the CLI configuration editor to detect and record, but not block, packets with a loose or strict source route option set.
This topic covers:
To configure screens:
To configure zones:
- user@host# set security screen ids-option
ip-loose-src-route ip loose-source-route-option
- user@host# set security screen ids-option
ip-strict-src-route ip strict-source-route-option
- user@host# set security zones security-zone
zone screen ip-strict-src-route