So, screen.
Basically we have a DDoS Distributed Denial of Service attack and hackers.
In order to protect the SRX from them. The first thing the SRX can do is defend itself by dropping
obvious blatant hostile packets.
They call this SCREENING.
Basically if the person is drunk, he can't get in the club. Flip flops same thing. Pretty much the obvious things.
So back to the diagram.
Notice how the first thing is SCREEN.
No sense in wasting resources on drunks and flip-floppers.
The options follow the.
set security screen (stanza)
set security screen ids-option IDS_protect
inside each you will have to state the protocol you are protecting and the protection.
ids-option IDS_protect {
icmp {
ip-sweep threshold 5000; # this controls how many ip ping sweep
fragment; # a ping should not be fragmented as it is very small.
large; # a ping is tiny,tiny and should not be large.
flood threshold 1000; # They try to ping flood your resources
ping-death; # This is an old oversized ping attack.
All of the above protected you from pings.
IP structure.
ip {
bad-option; #use the wrong option and it drops it.
record-route-option; # try recording the route and drops it.
timestamp-option; # try getting a timestamp response the drop
security-option; # obsolete - used to be for DOD
stream-option; # obsolete used to be for satellites.
spoofing; # when the IP is compared to the table and it should not come from there
source-route-option; # trying to dictate to me which route to take drop
loose-source-route-option; # these only DETECT and do not drop
strict-source-route-option; #these only DETECT and do not drop
unknown-protocol; #unknown protocol field.
block-frag; #
tear-drop; # tear drop is an old attack trying to badly assemble IP
}
TCP attacks.
So SYN is to synchronize and you use it at the start.
FIN is to finalize the session and you use it at the end.
FIN is to finalize the session and you use it at the end.
So you shouldn't have a
SYN-FIN a syn and a fin in the same packet. If you have then drop.
tcp {
syn-fin;
fin-no-ack;
If you want to close the session you send a FIN with an ack. Then you get a FIN with an ack.
So there is always an ack with the FIN.
So there is always an ack with the FIN.
So if you get a FIN with out an ack . then drop it.
tcp-no-flag;
If you get no flag at all, no syn , no fin, no ack. Then totally fishy simply drop it.
syn-frag;
A syn packet should be very small, like ping. So if it says syn-frag. There is no way it is being frag drop
port-scan threshold 5000;
This is to protect you agains a port scan. More than X ports being scanned then drop it.
syn-ack-ack-proxy threshold 512;
If your device is running proxy, this will protect you.
syn-flood {
alarm-threshold 100; #number of TCP per second
attack-threshold 700; #number of SYN to destination and port
source-threshold 400; #number of SYN from source
destination-threshold 300; #number of SYN to destination
timeout 40; #number of seconds before you drop half completed connections
}
Ok, somebody is trying to exhaust your resources by running syn to open a connection.
land; # uses the same IP of the receiver to crash him.
winnuke; # old attack on port 139
UDP attack.
Since UDP is connection-less there is only one attack.
Which is designed to drain your resources.
Since UDP is connection-less there is only one attack.
Which is designed to drain your resources.
udp {
flood threshold 3000;
}
The last protection is on the session table.
This is the table that we used earlier to leave the back and forth communication open.
This is the table that we used earlier to leave the back and forth communication open.
limit-session {
source-ip-based 900
destination-ip-based 128
#limit the number of one source IP opening sessions
#limit the number of open sessions to ONE destination IP.
At the end apply it to the zone.
set security zone WAN screen IDS_protect.
No comments:
Post a Comment