The Internet Protocol standard RFC 791, Internet Protocol, specifies a set of eight options that provide special routing controls, diagnostic tools, and security. Although the original, intended uses for these options served worthy ends, people have figured out ways to twist these options to accomplish less commendable objectives. (For a summary of the exploits that attackers can initiate from IP options, see Understanding Network Reconnaissance Using IP Options.)
Before You Begin |
|---|
For background information, read Suspicious Packet Attributes Overview. |
Either intentionally or accidentally, attackers sometimes configure IP options incorrectly, producing either incomplete or malformed fields. Regardless of the intentions of the person who crafted the packet, the incorrect formatting is anomalous and potentially harmful to the intended recipient. See Figure 137.
Figure 137: Incorrectly Formatted IP Options
When you enable the bad IP option protection screen option, JUNOS Software blocks packets when any IP option in the IP packet header is incorrectly formatted. Additionally, JUNOS Software records the event in the event log.