Modifying the Screens Configuration for Security Devices
You can use the Screens section on the Modify Configuration page to modify the security screen configuration for a device. You can modify settings related to screen name, denial of service, anomalies, and reconnaissance.
Refer to the Junos OS documentation (available at https://www.juniper.net/documentation/en_US/release-independent/junos/information-products/pathway-pages/junos/product/) for a particular release and device. There you can find detailed information on the configuration parameters for that device.
To modify the system log parameters:
- Select Devices > Security Devices.
The Security Devices page appears.
- Select the devices whose configuration you want to modify.
- From the More or right-click menu, select Configuration > Modify Configuration.
The Modify Configuration page appears.
- Click the Screens.
The Screens page appears.
- For the SRX Series devices, modify the configuration according
to the guidelines provided in Table 1.
Starting Junos Space Security Director Release 16.2, you can configure screens for MX Series routers. For the MX Series routers, modify the configuration according to the guidelines provided in Table 2.
- After modifying the configuration, you can cancel the changes, save the changes, preview the changes, or save the changes and deploy the configuration on the device. See Modifying the Configuration of Security Devices.
Table 1: Screens for SRX Series Devices
Modify the name of the screen.
Modify the description of the screen.
Generate alarms without dropping packets
Select this check box to generate an alarm when detecting an attack but not to block the attack.
Denial of Service
Land attack protection
Select this option to prevent land attacks, where an attacker sends spoofed IP packets with headers containing the target’s IP address for the source and destination IP address.
Combining the SYN flood defense with IP spoofing protection prevents land attacks
Teardrop attack protection
Select this option to prevent a teardrop attack, which exploits the reassembly of fragmented IP packets. The device drops any packets that have such a discrepancy.
ICMP fragment protection
Select this option to block any ICMP packet that has the More Fragments flag set or that has an offset value.
Because ICMP packets contain very short messages, there is no legitimate reason for ICMP packets to be fragmented. If an ICMP packet is so large that it must be fragmented, something is amiss.
Ping of death attack protection
Select this option to prevent a ping-of-death attack, which occurs when sending IP packets exceeding the maximum allowed size (65,535 bytes).
Although the TCP/IP specification requires a specific packet size, many ping implementations allow larger packet sizes. Larger packets can trigger a range of adverse system reactions, including crashing, freezing, and restarting.
Large size ICMP packet protection
Select this option to drop ICMP packets with a length greater than 1024 bytes.
Block fragment traffic
Select this option to deny IP fragments on a security zone and to block all IP packet fragments that are received at interfaces bound to that zone.
SYN-ACK-ACK proxy protection
Select this option to prevent a SYN-ACK-ACK attack, which occurs when the attacker establishes multiple telnet sessions without allowing each session to terminate.
After the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, the device rejects further connection requests from that IP address.
WinNuke attack protection
Select this option to detect attacks in Windows NetBIOS communications.
Each WinNuke attack triggers an attack log entry in the event alarm log. WinNuke is a DoS attack targeting any computer on the Internet running Windows.
Select this option to detect and drop any packet with an incorrectly formatted IP option in the IP packet header (IPv4 or IPv6). The device records the event in the screen counters list for the ingress interface.
Select this option to detect packets where the optional header field is IP option 2 (security), and the event is recorded in the screen counters list for the ingress interface.
Select this option to discard all received IP frames with protocol numbers greater than 137 for IPv4 and 139 for IPv6. These protocol numbers are undefined or reserved.
Strict source route
Select this option to detect packets where the optional header field is IP option 9 (strict source routing), and the event is recorded in the screen counters list for the ingress interface.
This option specifies the complete route list for a packet to take on its journey from source to destination. The last address in the list replaces the address in the destination field.
Select this option either to block any packets set with loose or strict source route options or to detect such packets and then record the event in the counters list for the ingress interface.
Source routing allows users at the source of an IP packet transmission to specify the IP addresses of the devices that they want an IP packet to take on its way to its destination.
Select this option to detect packets where the optional header field is IP option 4 (Internet timestamp), and the event is recorded in the screen counters list for the ingress interface. This option records the time (in Universal Time) when each network device receives the packet during its trip from the point of origin to its destination.
Select this option to detect packets where the optional header field is IP option 8 (stream ID), and the event is recorded in the screen counters list for the ingress interface.
This option provides a way for the 16-bit SATNET stream identifier to be carried through networks that do not support streams.
Loose source route
Select this option to detect packets where the optional header field is IP option 3 (loose source routing), and the event is recorded in the screen counters list for the ingress interface.
This option specifies a partial route list for a packet to take on its journey from source to destination.
Select this option to detect packets where the optional header field is IP option 7 (record route), and the event is recorded in the screen counters list for the ingress interface.
This option records the IP addresses of the network devices along the path that the IP packet travels
SYN fragment protection
Select this option to detect packets where the optional IP header field indicates that the packet has been fragmented and the SYN flag is set in the TCP header.
A fragmented SYN packet is anomalous, and, as such, it is suspect. To be cautious, block such unknown elements from entering your protected network.
SYN and FIN flags set protection
Select this option to detect an illegal combination of flags that attackers can use to consume sessions on the target device.
Both the SYN and FIN control flags are not normally set in the same TCP segment header. The SYN flag synchronizes sequence numbers to initiate a TCP connection. The FIN flag indicates the end of data transmission to finish a TCP connection. Their purposes are mutually exclusive. A TCP header with the SYN and FIN flags set is anomalous TCP behavior, causing various responses from the recipient, depending on the OS.
Fin flag without ACK flag set protection
Select this option to detect an illegal combination of flags and to reject packets that have this combination.
Because a TCP header with the FIN flag set but not the ACK flag is anomalous TCP behavior, there is no uniform response to this. The OS might respond by sending a TCP segment with the RST flag set.
Select this option to verify whether the ICMPv6 packet received matches the defined criteria and performs the specified action on matching packets.
Specify the maximum number of permitted extension headers in a packet.
Ipv6 malformed header
Select this option to enable checks and filters for IPv6 packet headers. After these functions are enabled, the system checks incoming IPv6 packet to match the defined criteria for a specified action.
Ipv6 extension header
Select this option to selectively screen one or more extension headers.
Select this option to inspect the routing-header type field and report a custom attack if a match with the specified value is found.
Select this option to verify that there is only one fragment header.
Enable the IPv6 shim header screen option.
Select this option to detect whether the packet is an unknown protocol packet.
Select this option to allow nodes to remain reachable as the nodes move around in the IPv6 network.
Select this option to provide data integrity and data authentication for IPv6 packets.
Select this option to provide both encryption and authentication for IPv6 packets.
Select the IPv6 Host Identify Protocol header screen option.
Select this option to verify that this is the first extension header to follow the IPv6 basic header.
Select this option to set the payload length field in the IPv6 header to zero in every packet.
Enable this option to notify transit routers to more closely examine the contents of an IP packet.
Select this option to allow TCP to determine the allowed sending rate at the beginning of a transport session and after an idle period of time.
Select the Common Architecture Label IPv6 Security Option for including explicit sensitivity labels for IPv6 packets in multi-level security networking environments.
Select the Routing Protocol for Low-Power and Lossy Networks screen option in low power networks to convey routing information in every packet that a router forwards.
Select the Simplified Muliticast Forwarding IPv6 Duplicate Packet Detection screen option for mobile ad hoc and wireless mesh networking use.
Select the IPv6 destination header screen option specifically to deliver information to the destination node.
Select the home address screen option to assign an IP address to a device within its home network.
Select the Identifier-Locator Network Protocol nonce screen option to separate the two functions of network addresses---identifying network endpoints and assisting routing by separating topological information from node identity.
Enable the line identification screen option.
Select the tunnel encapsulation limit option to specify the number of additional levels of encapsulation allowed to be prepended to a packet.
Limit sessions from the same source
Set the number of concurrent sessions that can be initiated from a source IP address.
When you set a source-based session limit, it can:
Limit sessions from the same destination
Set the number of concurrent sessions that can be directed to a single destination IP address. This ensures that the device allows only an acceptable number of concurrent connection requests–no matter what the source–to reach any one host.
ICMP flood protection
Select this option to prevent an ICMP flood attack, where ICMP echo requests use all resources in responding, such that valid network traffic can no longer be processed.
The threshold value defines the number of ICMP packets per second allowed to ping the same destination address before the device rejects further ICMP packets.
UDP flood protection
Select this option to prevent a UDP flood attack, where an attacker sends IP packets containing UDP datagrams to slow down resources, such that valid connections can no longer be handled.
The threshold value defines the number of UDP packets per second allowed to ping the same destination IP address or port pair. When the number of packets exceeds this value within any 1-second period, the device generates an alarm and drops subsequent packets for the remainder of that second.
SYN flood protection
Select this option to prevent a SYN flood attack, where the connecting host continuously sends TCP SYN requests without replying to the corresponding ACK responses.
When the number of SYN segments per second exceeds the set threshold, the device will either start proxying incoming SYN segments by replying with SYN/ACK segments and storing the incomplete connection requests in a connection queue, or it will drop the packets.
Set the number of SYN packets per second (pps) required to trigger a SYN proxy response. The default value is 200 pps, and you can set the attack threshold from 1 to 500,000 pps.
Although you can set the threshold to any number, you need to know the normal traffic patterns at your site to set an appropriate threshold for it. For example, if for an e-business site that normally gets 20,000 SYN segments per second, you might want to set the threshold to 30,000 pps. If a smaller site normally gets 20 SYN segments per second, you might consider setting the threshold to 40 pps.
Set the number of proxied, half-completed TCP connection requests per second after which the device enters an alarm in the event log.
The value you set for an alarm threshold triggers an alarm when the number of proxied, half-completed connection requests to the same destination address per second exceeds that value.
Set the number of SYN segments that the device can receive per second from a single source IP address before the device begins dropping connection requests from that source. The default value is 4000 per second, and you can set the source threshold from 4 to 500,000 per second.
Tracking a SYN flood by source address uses different detection parameters from tracking a SYN flood by destination address. When you set a SYN attack threshold and a source threshold, you put both the basic SYN flood protection mechanism and the source-based SYN flood tracking mechanism in effect.
Set the number of SYN segments received per second for a single destination IP address before the device begins dropping connection requests to that destination. The default value is 4000 per second, and you can set the destination threshold from 4 to 1,000,000 per second.
If a protected host runs multiple services, you might want to set a threshold based on destination IP address only—regardless of the destination port number.
Set the maximum length of time before a half-completed connection is dropped from the queue. The default value is 20 seconds, and you can set the timeout from 1 to 50 seconds. When either a source or destination threshold is not configured, the system will use the default threshold value.
You can decrease the timeout value until you see any connections dropped during normal traffic conditions.
Select this option to prevent an IP spoofing attack, where an invalid source address is inserted in the packet header to make the packet appear to come from a trusted source.
The mechanism to detect IP spoofing relies on route table entries. When the device detects the packet with a spoofed source IP address, it discards the packet.
Select this option to prevent an IP sweep attack, where an attacker sends ICMP echo requests (pings) to multiple destination addresses. If a target host replies, the reply reveals the target’s IP address to the attacker. If the device receives 10 ICMP echo requests within the number of microseconds specified in this statement, then it flags this as an IP sweep attack and rejects the eleventh and all further ICMP packets from that host for the remainder of the second.
The threshold value defines the maximum number of microseconds during which up to 10 ICMP echo requests from the same host are allowed into the device.
Select this option to prevent a TCP sweep attack, where an attacker sends TCP SYN packets to the target device as part of the TCP handshake. If the device responds to those packets, then the attacker gets an indication that a port in the target device is open, which makes the port vulnerable to attack. If a remote host sends TCP packets to 10 addresses in 0.005 seconds (5000 microseconds), then the device flags this as a TCP sweep attack.
Select this option to prevent a UDP sweep attack, where an attacker sends UDP packets to the target device. If the device responds to those packets, then the attacker gets an indication that a port in the target device is open, which makes the port vulnerable to attack. If a remote host sends UDP packets to 10 addresses in 0.005 seconds (5000 microseconds), then the device flags this as an UDP sweep attack.
Select this option to prevent a port scan attack, where the available services are scanned in the hopes that at least one port will respond, thus identifying a service to target.
A port scan occurs when one source IP address sends IP packets containing TCP SYN segments to 10 different destination ports within a defined interval. The default interval is 5000 microseconds.
Table 2: Screens for MX Series Routers
Modify the name of the screen.
Specify the direction in which the rule match is applied.
The following options are available:
Select a service set from the list that you have already created to define a collection of services to be performed by an Adaptive Services interface (AS) or Multiservices line cards (MS-DPC, MS-MIC, and MS-MPC).
Configure the following parameters for UDP:
Configure the following parameters for ICMP:
Limit Session (Cumulative)
Limit Session (Per Second)