[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Detecting and Blocking IP Packets with Incorrectly Formatted Options

Attackers sometimes configure IP options incorrectly, producing either incomplete or malformed fields. The incorrect formatting is anomalous and potentially harmful to the intended recipient.

Before You Begin

For background information, read Understanding Bad IP Option Protection.

You can use either J-Web or the CLI configuration editor to detect and block IP packets with incorrectly formatted IP options. The specified security zone is the one from which the packets originated.

This topic covers:

J-Web Configuration

To configure screens:

  1. Select Configure>CLI Tools>Point and Click CLI.
  2. Next to Security, click Configure or Edit.
  3. Next to Screen, click Configure.
  4. Next to Ids option, click Add new entry.
  5. In the Name box, type zone.
  6. Next to Ip, click Configure.
  7. Next to Bad option, select the check box and click OK.
  8. To save and commit the configuration, click Commit.

To configure zones:

  1. Select Configure>CLI Tools>Point and Click CLI.
  2. Next to Security, click Configure or Edit.
  3. Next to Zones, click Configure.
  4. Next to Security zone, click Add new entry.
  5. In the Name box, type zone.
  6. In the Screen box, type ip-bad-option and click OK.
  7. To save and commit the configuration, click Commit.

CLI Configuration

user@host# set security screen ids-option ip-bad-option ip bad-option
user@host# set security zones security-zone zone screen ip-bad-option

Related Topics


[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]