Modifying the Screens Configuration for Security Devices

Name

Modify the name of the screen.

Description

Modify the description of the screen.

Generate alarms without dropping packets

Select this check box to generate an alarm when detecting an attack but not to block the attack.

Denial of Service

Land attack protection

Select this option to prevent land attacks, where an attacker sends spoofed IP packets with headers containing the target’s IP address for the source and destination IP address.

Combining the SYN flood defense with IP spoofing protection prevents land attacks

Teardrop attack protection

Select this option to prevent a teardrop attack, which exploits the reassembly of fragmented IP packets. The device drops any packets that have such a discrepancy.

ICMP fragment protection

Select this option to block any ICMP packet that has the More Fragments flag set or that has an offset value.

Because ICMP packets contain very short messages, there is no legitimate reason for ICMP packets to be fragmented. If an ICMP packet is so large that it must be fragmented, something is amiss.

Ping of death attack protection

Select this option to prevent a ping-of-death attack, which occurs when sending IP packets exceeding the maximum allowed size (65,535 bytes).

Although the TCP/IP specification requires a specific packet size, many ping implementations allow larger packet sizes. Larger packets can trigger a range of adverse system reactions, including crashing, freezing, and restarting.

Large size ICMP packet protection

Select this option to drop ICMP packets with a length greater than 1024 bytes.

Block fragment traffic

Select this option to deny IP fragments on a security zone and to block all IP packet fragments that are received at interfaces bound to that zone.

SYN-ACK-ACK proxy protection

Select this option to prevent a SYN-ACK-ACK attack, which occurs when the attacker establishes multiple telnet sessions without allowing each session to terminate.

After the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, the device rejects further connection requests from that IP address.

WinNuke attack protection

Select this option to detect attacks in Windows NetBIOS communications.

Each WinNuke attack triggers an attack log entry in the event alarm log. WinNuke is a DoS attack targeting any computer on the Internet running Windows.

Anomalies

Bad option

Select this option to detect and drop any packet with an incorrectly formatted IP option in the IP packet header (IPv4 or IPv6). The device records the event in the screen counters list for the ingress interface.

Security

Select this option to detect packets where the optional header field is IP option 2 (security), and the event is recorded in the screen counters list for the ingress interface.

Unknown protocol

Select this option to discard all received IP frames with protocol numbers greater than 137 for IPv4 and 139 for IPv6. These protocol numbers are undefined or reserved.

Strict source route

Select this option to detect packets where the optional header field is IP option 9 (strict source routing), and the event is recorded in the screen counters list for the ingress interface.

This option specifies the complete route list for a packet to take on its journey from source to destination. The last address in the list replaces the address in the destination field.

Source route

Select this option either to block any packets set with loose or strict source route options or to detect such packets and then record the event in the counters list for the ingress interface.

Source routing allows users at the source of an IP packet transmission to specify the IP addresses of the devices that they want an IP packet to take on its way to its destination.

Timestamp

Select this option to detect packets where the optional header field is IP option 4 (Internet timestamp), and the event is recorded in the screen counters list for the ingress interface. This option records the time (in Universal Time) when each network device receives the packet during its trip from the point of origin to its destination.

Stream

Select this option to detect packets where the optional header field is IP option 8 (stream ID), and the event is recorded in the screen counters list for the ingress interface.

This option provides a way for the 16-bit SATNET stream identifier to be carried through networks that do not support streams.

Loose source route

Select this option to detect packets where the optional header field is IP option 3 (loose source routing), and the event is recorded in the screen counters list for the ingress interface.

This option specifies a partial route list for a packet to take on its journey from source to destination.

Record route

Select this option to detect packets where the optional header field is IP option 7 (record route), and the event is recorded in the screen counters list for the ingress interface.

This option records the IP addresses of the network devices along the path that the IP packet travels

SYN fragment protection

Select this option to detect packets where the optional IP header field indicates that the packet has been fragmented and the SYN flag is set in the TCP header.

A fragmented SYN packet is anomalous, and, as such, it is suspect. To be cautious, block such unknown elements from entering your protected network.

SYN and FIN flags set protection

Select this option to detect an illegal combination of flags that attackers can use to consume sessions on the target device.

Both the SYN and FIN control flags are not normally set in the same TCP segment header. The SYN flag synchronizes sequence numbers to initiate a TCP connection. The FIN flag indicates the end of data transmission to finish a TCP connection. Their purposes are mutually exclusive. A TCP header with the SYN and FIN flags set is anomalous TCP behavior, causing various responses from the recipient, depending on the OS.

Fin flag without ACK flag set protection

Select this option to detect an illegal combination of flags and to reject packets that have this combination.

Because a TCP header with the FIN flag set but not the ACK flag is anomalous TCP behavior, there is no uniform response to this. The OS might respond by sending a TCP segment with the RST flag set.

Flood Defense

Limit sessions from the same source

Set the number of concurrent sessions that can be initiated from a source IP address.

When you set a source-based session limit, it can:

• Stem an attack such as the Nimda virus (which is actually both a virus and a worm) that infects a server and then begins generating massive amounts of traffic from that server. Because all the virus-generated traffic originates from the same IP address, a source-based session limit ensures that the firewall can control such excessive amounts of traffic.

• Mitigate attempts to fill up the firewall's session table if all the connection attempts originate from the same source IP address.

Limit sessions from the same destination

Set the number of concurrent sessions that can be directed to a single destination IP address. This ensures that the device allows only an acceptable number of concurrent connection requests–no matter what the source–to reach any one host.

ICMP flood protection

Select this option to prevent an ICMP flood attack, where ICMP echo requests use all resources in responding, such that valid network traffic can no longer be processed.

The threshold value defines the number of ICMP packets per second allowed to ping the same destination address before the device rejects further ICMP packets.

UDP flood protection

Select this option to prevent a UDP flood attack, where an attacker sends IP packets containing UDP datagrams to slow down resources, such that valid connections can no longer be handled.

The threshold value defines the number of UDP packets per second allowed to ping the same destination IP address or port pair. When the number of packets exceeds this value within any 1-second period, the device generates an alarm and drops subsequent packets for the remainder of that second.

SYN flood protection

Select this option to prevent a SYN flood attack, where the connecting host continuously sends TCP SYN requests without replying to the corresponding ACK responses.

When the number of SYN segments per second exceeds the set threshold, the device will either start proxying incoming SYN segments by replying with SYN/ACK segments and storing the incomplete connection requests in a connection queue, or it will drop the packets.

Attack Threshold

Set the number of SYN packets per second (pps) required to trigger a SYN proxy response. The default value is 200 pps, and you can set the attack threshold from 1 to 500,000 pps.

Although you can set the threshold to any number, you need to know the normal traffic patterns at your site to set an appropriate threshold for it. For example, if for an e-business site that normally gets 20,000 SYN segments per second, you might want to set the threshold to 30,000 pps. If a smaller site normally gets 20 SYN segments per second, you might consider setting the threshold to 40 pps.

Alarm Threshold

Set the number of proxied, half-completed TCP connection requests per second after which the device enters an alarm in the event log.

The value you set for an alarm threshold triggers an alarm when the number of proxied, half-completed connection requests to the same destination address per second exceeds that value.

Source Threshold

Set the number of SYN segments that the device can receive per second from a single source IP address before the device begins dropping connection requests from that source. The default value is 4000 per second, and you can set the source threshold from 4 to 500,000 per second.

Tracking a SYN flood by source address uses different detection parameters from tracking a SYN flood by destination address. When you set a SYN attack threshold and a source threshold, you put both the basic SYN flood protection mechanism and the source-based SYN flood tracking mechanism in effect.

Destination Threshold

Set the number of SYN segments received per second for a single destination IP address before the device begins dropping connection requests to that destination. The default value is 4000 per second, and you can set the destination threshold from 4 to 1,000,000 per second.

If a protected host runs multiple services, you might want to set a threshold based on destination IP address only—regardless of the destination port number.

Timeout

Set the maximum length of time before a half-completed connection is dropped from the queue. The default value is 20 seconds, and you can set the timeout from 1 to 50 seconds. When either a source or destination threshold is not configured, the system will use the default threshold value.

You can decrease the timeout value until you see any connections dropped during normal traffic conditions.

Reconnaissance

IP spoofing

Select this option to prevent an IP spoofing attack, where an invalid source address is inserted in the packet header to make the packet appear to come from a trusted source.

The mechanism to detect IP spoofing relies on route table entries. When the device detects the packet with a spoofed source IP address, it discards the packet.

IP sweep

Select this option to prevent an IP sweep attack, where an attacker sends ICMP echo requests (pings) to multiple destination addresses. If a target host replies, the reply reveals the target’s IP address to the attacker. If the device receives 10 ICMP echo requests within the number of microseconds specified in this statement, then it flags this as an IP sweep attack and rejects the eleventh and all further ICMP packets from that host for the remainder of the second.

The threshold value defines the maximum number of microseconds during which up to 10 ICMP echo requests from the same host are allowed into the device.

TCP sweep

Select this option to prevent a TCP sweep attack, where an attacker sends TCP SYN packets to the target device as part of the TCP handshake. If the device responds to those packets, then the attacker gets an indication that a port in the target device is open, which makes the port vulnerable to attack. If a remote host sends TCP packets to 10 addresses in 0.005 seconds (5000 microseconds), then the device flags this as a TCP sweep attack.

UDP sweep

Select this option to prevent a UDP sweep attack, where an attacker sends UDP packets to the target device. If the device responds to those packets, then the attacker gets an indication that a port in the target device is open, which makes the port vulnerable to attack. If a remote host sends UDP packets to 10 addresses in 0.005 seconds (5000 microseconds), then the device flags this as an UDP sweep attack.

Port scan

Select this option to prevent a port scan attack, where the available services are scanned in the hopes that at least one port will respond, thus identifying a service to target.

A port scan occurs when one source IP address sends IP packets containing TCP SYN segments to 10 different destination ports within a defined interval. The default interval is 5000 microseconds.

Name

Modify the name of the screen.

Match Direction

Specify the direction in which the rule match is applied.

The following options are available:

• Input—Apply the rule match on the input side of the interface.

• Output—Apply the rule match on the output side of the interface.

• Input-Output—Apply the rule match bidirectionally.

Service Set

Select a service set from the list that you have already created to define a collection of services to be performed by an Adaptive Services interface (AS) or Multiservices line cards (MS-DPC, MS-MIC, and MS-MPC).

Rule Settings

TCP

• By Source—Enable this option to limit sessions based on numbers generated from the configured source (IP or subnet) or application.

  • Max Sessions Allowed—Enter the maximum number of open sessions per application or IP address.

  • Max Packets Allowed—Enter the maximum peak packets per second per application or IP address.

  • Rate Per Second—Enter the maximum number of sessions per second per application or IP address.

• By Destination—Enable this option to limit sessions based on numbers generated from the configured destination (IP or subnet) or application.

  • Max Sessions Allowed—Enter the maximum number of open sessions per application or IP address.

  • Max Packets Allowed—Enter the maximum peak packets per second per application or IP address.

  • Rate Per Second—Enter the maximum number of sessions per second per application or IP address.

• By Pair—Enable this option to apply limit to paired stateful firewall and NAT flows (forward and reverse).

  • Max Sessions Allowed—Enter the maximum number of open sessions per application or IP address.

  • Max Packets Allowed—Enter the maximum peak packets per second per application or IP address.

  • Rate Per Second—Enter the maximum number of sessions per second per application or IP address.

• TCP SYN Defense—Enable this option to prevent a SYN flood attack, where the connecting host continuously send TCP SYN requests without replying to the corresponding ACK responses.

• TCP SYN Fragment—Enable this option to detect packets where the option IP header field indicates that the packet has been fragmented and the SYN field is set in the TCP header.

• TCP Winnuke—Enable this option to detect attacks in Windows NetBIOS communications. Each WinNuke attack triggers an attack log entry in the event alarm log.

UDP

Configure the following parameters for UDP:

• By Source—Enable this option to limit sessions based on numbers generated from the configured source (IP or subnet) or application.

  • Max Sessions Allowed—Enter the maximum number of open sessions per application or IP address.

  • Max Packets Allowed—Enter the maximum peak packets per second per application or IP address.

  • Rate Per Second—Enter the maximum number of sessions per second per application or IP address.

• By Destination—Enable this option to limit sessions based on numbers generated from the configured destination (IP or subnet) or application.

  • Max Sessions Allowed—Enter the maximum number of open sessions per application or IP address.

  • Max Packets Allowed—Enter the maximum peak packets per second per application or IP address.

  • Rate Per Second—Enter the maximum number of sessions per second per application or IP address.

• By Pair—Enable this option to apply limit to paired stateful firewall and NAT flows (forward and reverse).

  • Max Sessions Allowed—Enter the maximum number of open sessions per application or IP address.

  • Max Packets Allowed—Enter the maximum peak packets per second per application or IP address.

  • Rate Per Second—Enter the maximum number of sessions per second per application or IP address.

ICMP

Configure the following parameters for ICMP:

• By Source—Enable this option to limit sessions based on numbers generated from the configured source (IP or subnet) or application.

  • Max Sessions Allowed—Enter the maximum number of open sessions per application or IP address.

  • Max Packets Allowed—Enter the maximum peak packets per second per application or IP address.

  • Rate Per Second—Enter the maximum number of sessions per second per application or IP address.

• By Destination—Enable this option to limit sessions based on numbers generated from the configured destination (IP or subnet) or application.

  • Max Sessions Allowed—Enter the maximum number of open sessions per application or IP address.

  • Max Packets Allowed—Enter the maximum peak packets per second per application or IP address.

  • Rate Per Second—Enter the maximum number of sessions per second per application or IP address.

• By Pair—Enable this option to apply limit to paired stateful firewall and NAT flows (forward and reverse).

  • Max Sessions Allowed—Enter the maximum number of open sessions per application or IP address.

  • Max Packets Allowed—Enter the maximum peak packets per second per application or IP address.

  • Rate Per Second—Enter the maximum number of sessions per second per application or IP address.

Limit Session (Cumulative)

• By Source—Enable this option to limit sessions based on numbers generated from the configured source (IP or subnet) or application.

  • Max Sessions Allowed—Enter the maximum number of open sessions per application or IP address.

• By Destination—Enable this option to limit sessions based on numbers generated from the configured destination (IP or subnet) or application.

  • Max Sessions Allowed—Enter the maximum number of open sessions per application or IP address.

Limit Session (Per Second)

• By Source—Enable this option to limit sessions based on numbers generated from the configured source (IP or subnet) or application.

  • Rate Per Second—Enter the maximum number of sessions per second per application or IP address.

• By Destination—Enable this option to limit sessions based on numbers generated from the configured destination (IP or subnet) or application.

  • Rate Per Second—Enter the maximum number of sessions per second per application or IP address.