ids-option
Syntax
ids-option screen-name {
alarm-without-drop;
description text;
icmp {
flood {
threshold number;
}
fragment;
icmpv6-malformed;
ip-sweep {
threshold number;
}
large;
ping-death;
}
ip {
bad-option;
block-frag {
white-list name;
}
ipv6-extension-header {
AH-header;
ESP-header;
HIP-header;
destination-header {
ILNP-nonce-option;
home-address-option;
line-identification-option;
tunnel-encapsulation-limit-option;
user-defined-option-type <type-low> to <type-high>;
}
fragment-header;
hop-by-hop-header {
CALIPSO-option;
RPL-option;
SFM-DPD-option;
jumbo-payload-option;
quick-start-option;
router-alert-option;
user-defined-option-type <type-low> to <type-high>;
}
mobility-header;
no-next-header;
routing-header;
shim6-header
user-defined-option-type <type-low> to <type-high>;
}
ipv6-extension-header-limit limit;
ipv6-malformed-header;
loose-source-route-option;
record-route-option;
security-option;
source-route-option;
spoofing;
stream-option;
strict-source-route-option;
tear-drop;
timestamp-option;
unknown-protocol;
tunnel {
gre {
gre-4in4;
gre-4in6;
gre-6in4;
gre-6in6;
}
ip-in-udp {
teredo;
}
ipip {
ipip-4in4;
ipip-4in6;
ipip-6in4;
ipip-6in6;
ipip-6over4;
ipip-6to4relay;
isatap;
dslite;
}
bad-inner-header;
}
}
limit-session {
destination-ip-based number;
source-ip-based number;
}
tcp {
fin-no-ack;
land;
port-scan {
threshold number;
}
syn-ack-ack-proxy {
threshold number;
}
syn-fin;
syn-flood {
alarm-threshold number;
attack-threshold number;
destination-threshold number;
source-threshold number;
timeout seconds;
white-list name {
destination-address destination-address;
source-address source-address;
}
}
syn-frag;
tcp-no-flag;
tcp-sweep {
threshold threshold number;
}
winnuke;
}
udp {
flood {
threshold number;
}
port-scan {
threshold number;
}
udp-sweep {
threshold threshold number;
}
}
}
}
Hierarchy Level
[edit security screen], [edit tenants tenant-name security screen]
Description
Define screens for the intrusion detection service (IDS). An ids-option can be
used for enabling the screen protection on the SRX Series Firewalls. One
ids-option can be associated with several zones. However each
zone can be linked with only one ids-option.
Options
description text—Descriptive text about a screen.
alarm-without-drop—Direct the device to generate
an alarm when detecting an attack but not block the attack.
icmp—Configure the ICMP ids options.
ip—Configure the IP layer ids options.
limit-session—Limit the number of concurrent
sessions the device can initiate from a single source IP address or
the number of sessions it can direct to a single destination IP address.
tcp—Configure the TCP Layer ids options.
udp—Configure the UDP Layer ids options.
loose-source-route-option—The device detects
packets where the IP option is 3 (Loose Source Routing) and records
the event in the screen counters list for the ingress interface. This
option specifies a partial route list for a packet to take on its
journey from source to destination. The packet must proceed in the
order of addresses specified, but it is allowed to pass through other
devices in between those specified.
source-route-option—Enable this option to block
all IP traffic that employs the loose or strict source route option.
Source route options can allow an attacker to enter a network with
a false IP address.
strict-source-route-option—The device detects
packets where the IP option is 9 (Strict Source Routing) and records
the event in the screen counters list for the ingress interface. This
option specifies the complete route list for a packet to take on its
journey from source to destination. The last address in the list replaces
the address in the destination field. Currently, this screen option
is applicable to IPv4 only.
Loose source route option and strict source route option will only alarm and will not be dropped when there is overflow of traffic. When only IP source option is configured, the attacked packets are dropped.
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 8.5.
Support for the description option added in Junos OS Release 12.1.
UDP supports port-scan option starting from Junos OS Release 12.1X47-D10.
The tenant option is introduced in Junos OS Release 18.3R1.