Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All
     

    Related Documentation

     

    Configuring Ping-Of-Death Attack Screen

    This topic describes how to configure detection of ping-of-death attack.

    The IP datagram with the protocol field of the IP header is set to 1 (ICMP), the last fragment bit is set, and (IP offset * 8) + (IP data length) > 65535. The IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.

    To enable detection of a ping-of-death IDP attack:

    1. Configure interfaces and assign an IP address to interfaces.
      user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.0.2.0/24user@host# set interfaces ge-0/0/3 unit 0 family inet address 198.51.100.0/24
    2. Configure security zones trustZone and untrustZone and assign interfaces to them.
      user@host# set security zones security-zone trustZone host-inbound-traffic system-services alluser@host# set security zones security-zone trustZone host-inbound-traffic protocols alluser@host# set security zones security-zone trustZone interfaces ge-0/0/1.0user@host# set security zones security-zone untrustZone host-inbound-traffic system-services alluser@host# set security zones security-zone untrustZone host-inbound-traffic protocols alluser@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0
    3. Configure security policies from untrustZone to trustZone.
      user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match source-address anyuser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match destination-address anyuser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match application anyuser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then permituser@host# set security policies default-policy deny-all
    4. Configure security screens and attach them to untrustZone.
      user@host# set security screen ids-option untrustScreen icmp ping-deathuser@host# set security zones security-zone untrustZone screen untrustScreenuser@host# set security screen ids-option untrustScreen alarm-without-drop
    5. Configure syslog.
      user@host# set system syslog file syslog any anyuser@host# set system syslog file syslog archive size 10000000user@host# set system syslog file syslog explicit-priorityuser@host# set system syslog file syslog structured-datauser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-inituser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-close
    6. Commit the configuration.
      user@host# commit
     

    Related Documentation

     

    Modified: 2016-08-01