Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Protection Against Network Attacks on an MS-MPC

 

This topic includes the following tasks, which describe how to protect against network attacks when using an MS-MPC:

Configuring Protection Against Network Probing, Network Flooding, and Suspicious Pattern Attacks

You configure protection against network probing attacks, network flooding attacks, and suspicious pattern attacks by configuring an intrusion detection service (IDS) rule, and then applying that rule to a service set that is on an MS-MPC. Only the first term of an IDS rule is used, and only the first IDS input rule and the first IDS output rule for a service set are used.

Configuring protection against network probing, network flooding, and suspicious pattern attacks includes:

Configuring IDS Rule Name and Direction

For each IDS rule, you must configure a name and the direction of traffic to which it is applied.

To configure the IDS rule name and direction:

  1. Specify a name for the IDS rule.
  2. Specify whether the IDS rule is applied to input traffic, output traffic, or both.

Configuring Session Limits for Subnets

If you want to apply session limits to an aggregation of all attacks to or from individual destination or source subnets rather than for individual addresses, configure aggregation.

To configure subnet aggregation:

  • If you want to apply session limits to an aggregation of all attacks from within an individual IPv4 subnet, specify the subnet prefix length. The range is from 1 through 32.

    For example, the following statement configures an IPv4 prefix length of 24, and attacks from 10.1.1.2 and 10.1.1.3 are counted as attacks from the 10.1.1/24 subnet.

    However, if a single host on a subnet generates a large number of network probing or flooding attacks, the flows for the entire subnet might be stopped.

  • If you want to apply session limits to an aggregation of all attacks from within an individual IPv6 subnet, specify the subnet prefix length. The range is from 1 through 128.

    For example, the following statement configures an IPv6 prefix length of 64, and attacks from 2001:db8:1234:72a2::2 and 2001:db8:1234:72a2::3 are counted as attacks from the 2001:db8:1234:72a2::/64 subnet.

    However, if a single host on a subnet generates a large number of network probing or flooding attacks, the flows for the entire subnet might be stopped.

  • If you want to apply session limits to an aggregation of all attacks to an individual IPv4 subnet, specify the subnet prefix length. The range is from 1 through 32.

    For example, the following statement configures an IPv4 prefix length of 24, and attacks to 10.1.1.2 and 10.1.1.3 are counted as attacks to the 10.1.1/24 subnet.

  • If you want to apply session limits to an aggregation of all attacks to an individual IPv6 subnet, specify the subnet prefix length. The range is from 1 through 128.

    For example, the following statement configures an IPv6 prefix length of 64, and attacks to 2001:db8:1234:72a2::2 and 2001:db8:1234:72a2::3 are counted as attacks to the 2001:db8:1234:72a2::/64 subnet.

Configuring Session Limits Independent of the Protocol

If you want to configure session limits for traffic to an individual destination or from an individual source independent of the protocol, then perform one or more of the following tasks:

  • To configure session limits for source IP addresses or subnets independent of a protocol:
    • Configure the maximum number of concurrent sessions allowed from an individual source IP address or subnet.

    • Configure the maximum number of packets per second allowed from an individual source IP address or subnet.

    • Configure the maximum number of connections per second allowed from an individual source IP address or subnet.

  • To configure session limits for destination IP addresses or subnets independent of a protocol:
    • Configure the maximum number of concurrent sessions allowed for an individual destination IP address or subnet.

    • Configure the maximum number of packets per second allowed for an individual destination IP address or subnet.

    • Configure the maximum number of connections per second allowed for an individual destination IP address or subnet.

Configuring ICMP Address Sweep Protection

To configure protection against ICMP address sweeps, configure any combination of the maximum allowed ICMP concurrent sessions, packets per second, and connections per second for a source:

  • Configure the maximum number of concurrent ICMP sessions allowed from an individual source IP address or subnet.
  • Configure the maximum number of ICMP packets per second allowed from an individual source IP address or subnet.
  • Configure the maximum number of ICMP connections per second allowed from an individual source IP address or subnet.

Configuring TCP Port Scanner Protection

To configure protection against TCP port scanner attacks, configure any combination of the maximum allowed TCP concurrent sessions and connections per second for a source or destination:

  • Configure the maximum number of concurrent TCP sessions allowed from an individual source IP address or subnet.
  • Configure the maximum number of TCP connections per second allowed for an individual source IP address or subnet.
  • Configure the maximum number of TCP sessions allowed for an individual destination IP address or subnet.
  • Configure the maximum number of TCP connections per second allowed for an individual destination IP address or subnet.

Configuring ICMP Flooding Protection

To configure protection against ICMP flooding attacks, configure any combination of the maximum allowed ICMP concurrent sessions, packets per second, and number of connections per second for a destination:

  • Configure the maximum number of concurrent ICMP sessions allowed for an individual destination IP address or subnet.
  • Configure the maximum number of ICMP packets per second allowed for an individual destination IP address or subnet.
  • Configure the maximum number of ICMP connections per second allowed for an individual destination IP address or subnet for ICMP.

Configuring UDP Flooding Protection

To configure protection against UDP flooding attacks, configure any combination of the maximum allowed UDP concurrent sessions, packets per second, and connections per second for a destination:

  • Configure the maximum number of concurrent UDP sessions allowed for an individual destination IP address or subnet.
  • Configure the maximum number of UDP packets per second allowed for an individual destination IPaddress or subnet.
  • Configure the maximum number of UDP connections per second allowed for an individual destination IP address or subnet.

Configuring TCP SYN Flooding Protection

To configure protection against TCP SYN flooding attacks, configure any combination of the maximum allowed TCP concurrent sessions, packets per second, and connections per second for a source or destination. You can also configure the closing of unestablished TCP connections after a timeout:

  • Configure the maximum number of concurrent TCP sessions allowed from an individual source IP address or subnet.
  • Configure the maximum number of TCP packets per second allowed from an individual source IP address or subnet.
  • Configure the maximum number of TCP connections per second allowed from an individual source IP address or subnet.
  • Configure the maximum number of concurrent TCP sessions allowed for an individual destination IP address or subnet.
  • Configure the maximum number of TCP connections per second allowed for an individual destination IP address or subnet.
  • Configure the maximum number of TCP packets per second allowed for an individual destination IP address or subnet.
  • Configure the closing of unestablished TCP connections and the delivery of a TCP RST to the end host to clear the TCP states on it when the open-timeout value at the [edit interfaces interface-name service-options] hierarchy level expires.

Configuring ICMP Fragmentation Protection

To protect against ICMP fragmentation attacks:

  • Configure the identification and dropping of ICMP packets that are IP fragments.

Configuring ICMP Large Packet Protection

To protect against ICMP large packet attacks:

  • Configure the identification and dropping of ICMP packets that are larger than 1024 bytes.

Configuring IP Bad Options Protection

To protect against bad IPv4 options or IPv6 extension header attacks:

  1. Configure the type of IPv4 options that the packet can include. If the packet includes an option that is not configured, then the packet is blocked. If the packet includes a configured option whose length is an illegal value, then the packet is dropped. Specifying any allows all options.

    The IPv4 options supported are any, loose-source-route, route-record, security, stream-id, strict-source-route, and timestamp.

    If you do not include the allow-ip-options statement in the IDS rule, packets with any type of IPv4 option are blocked.

  2. Configure the type of IPv6 extension headers that the packet can include. If the packet includes an extension header that is not configured, then the packet is blocked. If the packet includes configured extension headers that are incorrect, then the packet is dropped. Specifying any allows all extension headers.

    The IPv6 extension headers supported are any, ah, dstopts, esp, fragment, hop-by-hop, mobility, and routing.

    If you do not include the allow-ipv6-extension-header statement in the IDS rule, packets with any type of extension header are dropped.

Configuring Land Attack Protection

To protect against land attacks:

  • Configure the identification and dropping of SYN packets that have the same source and destination IP address or the same source and destination IP address and port.

    To specify that the packets have the same source and destination IP address, use the ip-only option; to specify that the packets have the same source and destination IP address and port, use the ip-port option.

Configuring TCP SYN Fragment Protection

To protect against TCP SYN fragment attacks:

  • Configure the identification and dropping of TCP SYN packets that are IP fragments:

Configuring WinNuke Protection

To protect against WinNuke attacks:

  • Configure the identification and dropping of TCP segments that are destined for port 139 and have the urgent (URG) flag set.

Configuring the Service Set

To apply the IDS rule actions to a service set:

  1. Assign the IDS rule to a service set that is on an MS-MPC.

    If the service set is associated with an AMS interface, then the session limits you configure are applicable to each member interface.

  2. Limit the packets that the IDS rule processes by configuring a stateful firewall rule (see Configuring Stateful Firewall Rules). The stateful firewall rule can identify either the traffic that should undergo IDS processing or the traffic that should skip IDS processing:
    • To allow IDS processing on the traffic that matches the stateful firewall rule, include accept at the [edit services stateful-firewall rule rule-name term term-name then] hierarchy level.

    • To skip IDS processing on the traffic that matches the stateful firewall rule, include accept skip-ids at the [edit services stateful-firewall rule rule-name term term-name then] hierarchy level.

  3. Assign the stateful firewall rule to the service set.

Configuring Protection Against Header Anomaly Attacks

Protect against header anomaly attacks by using either of the following methods to enable a header integrity check, which drops any packets with header anomalies:

  • Configure a stateful firewall rule, a NAT rule, or an IDS rule and apply it to the service set that is on an MS-MPC. A header integrity check is automatically enabled.
  • Configure a header integrity check for the service set that is on an MS-MPC.