Prevention of Security Zones Using Denial of Service Attacks
Attackers use denial-of-service (DoS) attacks to overwhelm a target with traffic from a single source IP, preventing the target from processing legitimate traffic. A more advance version of a DoS attack is a distributed DoS (DDoS) attack, in which attackers use multiple source addresses. Typically, attackers use a spoofed IP address or a previously compromised IP address as the source address to avoid detection.
To protect targets in the security zone from DoS and DDoS attacks, configure the settings as described in Table 1.
Table 1: Security Zones Prevention using DoS
Security Zones Setting Options
Ping of Death Attack Protection
Select this option to reject oversized and irregular ICMP packets. Attackers might send a maliciously crafted ping (ICMP packet) that is larger than the allowed size of 65,507 bytes to cause a DoS.
Teardrop Attack Protection
Select this option to send teardrop attack packets, designed to exploit vulnerabilities in the reassembly of fragmented IP packets. In the IP header, the fragment offset field indicates the starting position, or “offset,” of the data contained in a fragmented packet relative to the data of the original unfragmented packet. When the sum of the offset and size of one fragmented packet differ from that of the next fragmented packet, the packets overlap, and the server attempting to reassemble the packet can crash.
Block ICMP Fragments
Select this option to block ICMP packets with the More Fragments flag set or with an offset value in the offset field. ICMP packets are typically very short messages containing error reports or network probe information. Because ICMP packets do not carry large payloads, they should not be fragmented.
Block Large ICMP Packets
Select this option to block ICMP packets larger than 1024 bytes. ICMP packets are typically very short messages containing error reports or network probe information; a large ICMP packet is suspicious.
Block IP Packet Fragments
Select this option to block IP fragments destined for interfaces in the security zone. As packets traverse different networks, it is sometimes necessary to break a packet into smaller pieces (fragments) based upon the maximum transmission unit (MTU) of each network. Attackers can use IP fragments to exploit vulnerabilities in the packet reassembly code of specific IP stack implementations.
Land Attack Protection
Select this option to block SYN floods and IP spoofing combinations. Attackers can initiate a land attack by sending spoofed SYN packets that contain the IP address of the target as both the destination and source IP address. The target responds by sending the SYN-ACK packet to itself, creating an empty connection that lasts until the idle timeout value is reached; in time, these empty connections overwhelm the system.
SYN-ACK-ACK Proxy Protection
Select this option and configure a threshold to prevent SYN-ACK-ACK sessions from flooding the security device session table. After successfully receiving a login prompt from the security device, attackers can continue initiating SYN-ACK-ACK sessions, flooding the security device session table and causing the device to reject legitimate connection requests. When proxy protection is enabled and the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, the security device rejects further connection requests from that IP address. By default, the threshold is 512 connections from any single IP address; you can customize this threshold (1 to 250,000) to meet your networking requirements.
Source IP-Based Session Limit
Select this option and configure a threshold to limit the number of concurrent sessions from the same source IP address. The default threshold is 128 sessions; you can customize this threshold to meet your networking requirements.
Destination IP-Based Session Limit
Select this option and configure a threshold to limit the number of concurrent sessions to the same destination IP address. The default threshold is 128 sessions; you can customize this threshold to meet your networking requirements.