The Internet Protocol standard RFC 791, Internet Protocol, specifies a set of eight options that provide special routing controls, diagnostic tools, and security. Although the original, intended uses for these options served worthy ends, people have figured out ways to twist these options to accomplish less commendable objectives. (For a summary of the exploits that attackers can initiate from IP options, see Understanding Network Reconnaissance Using IP Options.)
Before You Begin
For background information, read Suspicious Packet Attributes Overview.
Either intentionally or accidentally, attackers sometimes configure IP options incorrectly, producing either incomplete or malformed fields. Regardless of the intentions of the person who crafted the packet, the incorrect formatting is anomalous and potentially harmful to the intended recipient. See Figure 39.
Figure 39: Incorrectly Formatted IP Options
When you enable the bad IP option protection SCREEN option, JUNOS software with enhanced services blocks packets when any IP option in the IP packet header is incorrectly formatted. Additionally, JUNOS software with enhanced services records the event in the event log.