Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Network Attack Protection With IDS Screens for Next Gen Services

 

Configuring the IDS Screen Name, Direction, and Alarm Option

Configure the IDS screen name, traffic direction, and optional alarm.

  1. Specify a name for the IDS screen.
  2. Specify whether the IDS screen is applied to input traffic, output traffic, or both.
  3. If you want the IDS screen to log an alarm when packets exceed the session limit, rather than drop packets, configure alarm-without-drop.

Configuring Session Limits in the IDS Screen

You can use IDS screens to set session limits for traffic from individual addresses or subnets and to individual addresses or subnets. This protects against network probing and flooding attacks. Table 1 shows the session limit options that protect against some common network probing and flooding attacks.

Table 1: IDS Screen Options for Network Attacks Type

Network Attack Type

[edit services screen ids-options screen-name limit-sessions] Options to Set

ICMP Address Sweep

by-source by-protocol icmp {
maximum-sessions number;
packet-rate number;
session-rate number;
}

ICMP Flood

by-destination by-protocol icmp {
maximum-sessions number;
packet-rate number;
session-rate number;
}

TCP Port Scan

(by-destination | by-source) by-protocol tcp {
maximum-sessions number;
packet-rate number;
}

TCP SYN Flood

(by-destination | by-source) by-protocol tcp {
maximum-sessions number;
packet-rate number;
session-rate number;
}

UDP Flood

by-destination by-protocol udp {
maximum-sessions number;
packet-rate number;
session-rate number;
}

To configure the session limits in an IDS screen:

  1. If you want to apply session limits to an aggregation of all sessions to individual destination subnets or from individual source subnets rather than individual addresses, configure aggregation.

    1. To apply session limits to an aggregation of all sessions from within an individual IPv4 subnet, specify the subnet prefix length. The range is from 1 through 32.

      For example, the following statement configures an IPv4 prefix length of 24, and sessions from 192.0.2.2 and 192.0.2.3 are counted as sessions from the 192.0.2.0/24/24 subnet.

    2. To apply session limits to an aggregation of all sessions from within an individual IPv6 subnet, specify the subnet prefix length. The range is from 1 through 128.

      For example, the following statement configures an IPv6 prefix length of 64, and sessions from 2001:db8:1234:72a2::2 and 2001:db8:1234:72a2::3 are counted as sessions from the 2001:db8:1234:72a2::/64 subnet.

    3. To apply session limits to an aggregation of all sessions to an individual IPv4 subnet, specify the subnet prefix length. The range is from 1 through 32.
    4. To apply session limits to an aggregation of all sessions to an individual IPv6 subnet, specify the subnet prefix length. The range is from 1 through 128.
  2. If you want to apply session limits from a source for a particular IP protocol:

    1. Configure the maximum number of concurrent sessions allowed from an individual source IP address or subnet for a particular IP protocol.
    2. Configure the maximum number of packets per second allowed from an individual source IP address or subnet for a particular protocol.
    3. Configure the maximum number of connections per second allowed from an individual source IP address or subnet for a particular protocol.
  3. If you want to apply session limits to a destination for a particular IP protocol:

    1. Configure the maximum number of concurrent sessions allowed to an individual destination IP address or subnet for a particular IP protocol.
    2. Configure the maximum number of packets per second allowed to an individual destination IP address or subnet for a particular protocol.
    3. Configure the maximum number of connections per second allowed to an individual destination IP address or subnet for a particular protocol.
  4. If you want to apply session limits from a source regardless of the IP protocol:

    1. Configure the maximum number of concurrent sessions allowed from an individual source IP address or subnet.
    2. Configure the maximum number of packets per second allowed from an individual source IP address or subnet
    3. Configure the maximum number of connections per second allowed from an individual source IP address or subnet.
  5. If you want to apply session limits to a destination regardless of the IP protocol:

    1. Configure the maximum number of concurrent sessions allowed to an individual destination IP address or subnet.
    2. Configure the maximum number of packets per second allowed to an individual destination IP address or subnet
    3. Configure the maximum number of connections per second allowed to an individual destination IP address or subnet.
  6. Specify the services card CPU utilization percentage that triggers the installation of a dynamic filter on the PFEs of the line cards for suspicious traffic. The default value is 90.

    In addition to the CPU utilization percentage threshold, the packet rate or connection rate for an individual source or destination address must exceed four times the session limit in the IDS screen before the dynamic filter is installed. Dynamic filters are not created from IDS screens that use subnet aggregation.

    The dynamic filter drops the suspicious traffic at the PFE, without the traffic being processed by the IDS screen. When the packet or connection rate no longer exceeds four times the limit in the IDS screen, the dynamic filter is removed.

Configuring Suspicious Packet Pattern Detection in the IDS Screen

You can use IDS screens to identify and drop suspicious packets. This protects against attackers that craft unusual packets to launch denial-of-service attacks.

To configure suspicious pattern detection:

  1. To protect against ICMP fragmentation attacks, identify and drop ICMP packets that are IP fragments.
  2. To identify and drop malformed ICMPv6 packets, configure icmpv6-malformed.
  3. To protect against ICMP large packet attacks, identify and drop ICMP packets that are larger than 1024 bytes.
  4. To protect against ping of death attacks, identify and drop oversized and irregular ICMP packets.
  5. To protect against bad option attacks, identify and drop packets with incorrectly formatted IPv4 options or IPv6 extension headers.
  6. To identify and drop fragmented IP packets, configure block-frag.
  7. To drop IPv6 packets with particular extension header values, specify the values.

    The following header values can be configured:

    ah-headerAuthentication Header extension header
    esp-headerEncapsulating Security Payload extension header
    fragment-headerFragment Header extension header
    hop-by-hop-headerHop-by-Hop option with the specified option:
    CALIPSO-optionCommon Architecture Label IPv6 Security Option
    jumbo-payload-optionIPv6 jumbo payload option
    quick-start-optionIPv6 quick start option
    router-alert-optionIPv6 router alert option
    RPL-optionRouting Protocol for Low-Power and Lossy Networks option
    SFM-DPD-optionSimplified Muliticast Forwarding IPv6 Duplicate Packet Detection option
    user-defined-option-type type-low to type-highA range of header types

    Range: 1 through 255.

    mobility-headerMobility Header extension header.
    routing-headerRouting Header extension header.
  8. To drop IPv4 packets with particular IPv4 option values, specify the values.

    The following IPv4 option values can be configured:

    loose-source-route-option IP option of 3 (Loose Source Routing)
    record-route-option IP option of 7 (Record Route)
    security-option IP option of 2 (Security)
    source-route-optionIP option of 3 (Loose Source Routing) or the IP option of 9 (Strict Source Routing)
    stream-optionIP option of 8 (Stream ID)
    strict-source-route-optionIP option of 9 (Strict Source Routing)
    timestamp-optionIP option of 4 (Internet timestamp)
  9. To protect against IP teardrop attacks, identify and drop fragmented IP packets that overlap.
  10. To protect against IP unknown protocol attacks, identify and drop IP frames with protocol numbers greater than 137 for IPv4 and 139 for IPv6.
  11. To protect against TCP FIN No ACK Attacks, identify and drop any packet with the FIN flag set and without the ACK flag set.
  12. To protect against land attacks, identify and drop SYN packets that have the same source and destination address or port.
  13. To protect against TCP SYN ACK ACK attacks, configure the maximum number of connections from an IP address that can be opened without being completed.
  14. To protect against TCP SYN FIN attacks, identify and drop packets that have both the SYN and FIN flags set.
  15. To protect against SYN fragment attacks, identify and drop SYN packet fragments.
  16. To protect against TCP no flag attacks, identify and drop TCP packets that have no flag fields set.
  17. To protect against TCP WinNuke attacks, identify and drop TCP segments that are destined for port 139 and have the urgent (URG) flag set.

Configuring the Service Set for IDS

Configure a service set to apply the IDS screen.

  1. Assign the IDS screen to a service set.

    If the service set is associated with an AMS interface, then the session limits you configure are applicable to each member interface.

  2. Limit the packets that the IDS screen processes by configuring a stateful firewall rule . The stateful firewall rule can identify either the traffic that should undergo IDS processing or the traffic that should skip IDS processing:
    • To allow IDS processing on the traffic that matches the stateful firewall rule, include accept at the [edit services stateful-firewall rule rule-name term term-name then] hierarchy level.

    • To skip IDS processing on the traffic that matches the stateful firewall rule, include accept skip-ids at the [edit services stateful-firewall rule rule-name term term-name then] hierarchy level.

  3. Assign the stateful firewall rule to the service set.
  4. To protect against header anomaly attacks, configure a header integrity check for the service set.