Configuring tcp-no-flag Attack Screen
This topic describes how to configure detection of a tcp-no-flag attack.
A TCP segment with no control flags set is an anomalous event causing various responses from the recipient. When the TCP no-flag is enabled, the device detects the TCP segment headers with no flags set, and drops all TCP packets with missing or malformed flag fields.
To enable detection of a tcp-no-flag option:
- Configure interfaces and assign an IP address to the interfaces.user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.0.2.0/24user@host# set interfaces ge-0/0/3 unit 0 family inet address 198.51.100.0/24
- Configure security zones trustZone and untrustZone and assign interfaces
to them.user@host# set security zones security-zone trustZone host-inbound-traffic system-services alluser@host# set security zones security-zone trustZone host-inbound-traffic protocols alluser@host# set security zones security-zone trustZone interfaces ge-0/0/1.0user@host# set security zones security-zone untrustZone host-inbound-traffic system-services alluser@host# set security zones security-zone untrustZone host-inbound-traffic protocols alluser@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0
- Configure security policies from untrustZone to trustZone.user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match source-address anyuser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match destination-address anyuser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match application anyuser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then permituser@host# set security policies default-policy deny-all
- Configure security screens and attach them to untrustZone.user@host# set security screen ids-option untrustScreen tcp tcp-no-flaguser@host# set security zones security-zone untrustZone screen untrustScreenuser@host# set security screen ids-option untrustScreen alarm-without-drop
- Configure syslog.user@host# set system syslog file syslog any anyuser@host# set system syslog file syslog archive size 10000000user@host# set system syslog file syslog explicit-priorityuser@host# set system syslog file syslog structured-datauser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-inituser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-close
- Commit the configuration.user@host# commit