本主题介绍如何配置 IP 撕裂攻击检测功能。
Teardrop 攻击利用分段 IP 数据包的重组。在 IP 报头中,其中一个字段是分片偏移量字段,用于指示分片数据包中包含的数据的开始位置,或相对于原始未分片数据包的数据的偏移量。如果一个分片数据包的偏移量和大小与下一个分片数据包的大小不同,则数据包重叠,尝试重组该数据包的服务器可能会崩溃。
- 配置接口并将 IP 地址分配给接口。
[edit]
user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.0.2.0/24
user@host# set interfaces ge-0/0/3 unit 0 family inet address 198.51.100.0/24
- 配置安全区域 trustZone 并 untrustZone 为其分配接口。
[edit]
user@host# set security zones security-zone trustZone host-inbound-traffic system-services all
user@host# set security zones security-zone trustZone host-inbound-traffic protocols all
user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0
user@host# set security zones security-zone untrustZone host-inbound-traffic system-services all
user@host# set security zones security-zone untrustZone host-inbound-traffic protocols all
user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0
- 配置从 untrustZone 到的安全 trustZone策略。
[edit]
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match source-address any
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match destination-address any
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match application any
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then permit
user@host# set security policies default-policy deny-all
- 配置安全屏幕选项并将其连接到 untrustZone。
[edit]
user@host# set security screen ids-option untrustScreen ip tear-drop
user@host# set security zones security-zone untrustZone screen untrustScreen
user@host# set security screen ids-option untrustScreen alarm-without-drop
- 配置系统日志。
[edit]
user@host# set system syslog file syslog any any
user@host# set system syslog file syslog archive size 10000000
user@host# set system syslog file syslog structured-data
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-init
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-close
- 提交配置。
