show services screen-statistics service-set
Syntax
show services screen statistics service-set service-set
Description
Display intrusion detection service (IDS) screen statistics.
Required Privilege Level
view
Output Fields
Table 1 lists the output fields for the show services screen statistics
service-set command. Output fields are listed in the approximate
order in which they appear.
Field Name |
Field Description |
|---|---|
|
Internet Control Message Protocol (ICMP) flood counter. An ICMP flood typically occurs when ICMP echo requests use all resources in responding, such that valid network traffic can no longer be processed. |
|
User Datagram Protocol (UDP) flood counter. UDP flooding occurs when an attacker sends IP packets containing UDP datagrams with the purpose of slowing down the resources, such that valid connections can no longer be handled. |
|
Number of Transport Control Protocol (TCP) WinNuke attacks. WinNuke is a denial-of-service (DoS) attack targeting any computer on the Internet running Windows. |
|
Number of TCP port scans. The purpose of this attack is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target. |
|
|
Number of UDP port scans. The purpose of this attack is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target. |
|
Number of ICMP address sweeps. An IP address sweep can occur with the intent of triggering responses from active hosts. |
|
Number of teardrop attacks. Teardrop attacks exploit the reassembly of fragmented IP packets. |
|
Number of TCP SYN attacks. |
|
Number of IP spoofs. IP spoofing occurs when an invalid source address is inserted in the packet header to make the packet appear to come from a trusted source. |
|
ICMP ping of death counter. Ping of death occurs when IP packets are sent that exceed the maximum legal length (65,535 bytes). |
|
Number of IP source route attacks. |
|
Number of TCP address sweeps. |
|
Number of land attacks. Land attacks occur when an attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address. |
|
Number of TCP SYN fragments. |
|
Number of TCP headers without flags set. A normal TCP segment header has at least one control flag set. |
|
Number of IPs. |
|
Number of invalid options. |
|
Number of packets with the IP record route option enabled. This option records the IP addresses of the network devices along the path that the IP packet travels. |
|
Number of IP timestamp option attacks. This option records the time (in Universal Time) when each network device receives the packet during its trip from the point of origin to its destination. |
|
Number of IP security option attacks. |
|
Number of IP loose source route option attacks. This option specifies a partial route list for a packet to take on its journey from source to destination. |
|
Number of IP strict source route option attacks. This option specifies the complete route list for a packet to take on its journey from source to destination. |
|
Number of stream option attacks. This option provides a way for the 16-bit SATNET stream identifier to be carried through networks that do not support streams. |
|
Number of ICMP fragments. Because ICMP packets contain very short messages, there is no legitimate reason for ICMP packets to be fragmented. If an ICMP packet is so large that it must be fragmented, something is amiss. |
|
Number of large ICMP packets. |
|
Number of TCP SYN FIN packets. |
|
Number of TCP FIN flags without the acknowledge (ACK) flag. |
|
Number of concurrent sessions that can be initiated from a source IP address. |
|
Number of TCP flags enabled with SYN-ACK-ACK. To prevent flooding with SYN-ACK-ACK sessions, you can enable the SYN-ACK-ACK proxy protection screen option. After the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold and SRX Series Firewalls running Junos OS reject further connection requests from that IP address. |
|
Number of IP block fragments. |
|
Number of concurrent sessions that can be directed to a single destination IP address. |
|
|
Number of IPv6 extension headers for the intrusion detection service (IDS). These headers are placed between the IPv6 header and the upper layer header in a packet. . |
|
|
Number of IPv6 extension header that specifies delivery parameters at each hop on the path to the destination host. |
|
|
Number of IPv6 destination option for the extension header. |
|
|
Number of IPv6 extension headers that can pass through the screen. |
|
|
Number of IPv6 malformed header that is used to enable the IPv6 malformed header intrusion detection service (IDS) option. The screen doesn't pass any communication using the subnet 2001:db8 :: / 32. |
|
|
Number of malformed ICMPv6 packets, which might cause damage to the device and network. |
Sample Output
show services screen statistics service-set
user@host> show services screen statistics service-set <usf-service-set>
Service-set: ipsec_ss1
Match-Direction: input
Screen statistics:
IDS attack type Statistics
ICMP flood 0
UDP flood 0
TCP winnuke 0
TCP port scan 0
UDP port scan 0
ICMP address sweep 0
TCP sweep 0
UDP sweep 0
IP tear drop 0
TCP SYN flood 0
SYN flood source 0
SYN flood destination 0
IP spoofing 0
ICMP ping of death 0
IP source route option 0
TCP land attack 0
TCP SYN fragment 0
TCP no flag 0
IP unknown protocol 0
IP bad options 0
IP record route option 0
IP timestamp option 0
IP security option 0
IP loose source route option 0
IP strict source route option 0
IP stream option 0
ICMP fragment 0
ICMP large packet 0
TCP SYN FIN 0
TCP FIN no ACK 0
Source session limit 0
TCP SYN-ACK-ACK proxy 0
IP block fragment 0
Destination session limit 0
IPv6 extension header 0
IPv6 extension hop by hop option 0
IPv6 extension destination option 0
IPv6 extension header limit 0
IPv6 malformed header 0
ICMPv6 malformed packet 0
IP tunnel summary 0
Service-set: ipsec_ss1
Match-Direction: output
Screen statistics:
IDS attack type Statistics
ICMP flood 0
UDP flood 0
TCP winnuke 0
TCP port scan 0
UDP port scan 0
ICMP address sweep 0
TCP sweep 0
UDP sweep 0
IP tear drop 0
TCP SYN flood 0
SYN flood source 0
SYN flood destination 0
IP spoofing 0
ICMP ping of death 0
IP source route option 0
TCP land attack 0
TCP SYN fragment 0
TCP no flag 0
IP unknown protocol 0
IP bad options 0
IP record route option 0
IP timestamp option 0
IP security option 0
IP loose source route option 0
IP strict source route option 0
IP stream option 0
ICMP fragment 0
ICMP large packet 0
TCP SYN FIN 0
TCP FIN no ACK 0
Source session limit 0
TCP SYN-ACK-ACK proxy 0
IP block fragment 0
Destination session limit 0
IPv6 extension header 0
IPv6 extension hop by hop option 0
IPv6 extension destination option 0
IPv6 extension header limit 0
IPv6 malformed header 0
ICMPv6 malformed packet 0
IP tunnel summary 0
Release Information
Support added in Junos OS Release 19.3R2 for Next Gen Services on MX Series routers MX240, MX480 and MX960 with the MX-SPC3 services card.