이 주제는 TCP fin-no-ack 공격 탐지를 구성하는 방법에 대해 설명합니다. FIN 플래그가 설정되었지만 ACK 플래그가 설정되지 않은 TCP 헤더는 비정상적인 TCP 동작입니다.
ACK 비트 IDS 옵션이 없는 FIN 비트 감지를 활성화하려면:
- 인터페이스를 구성하고 인터페이스에 IP 주소를 할당합니다.
[edit]
user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.0.2.0/24
user@host# set interfaces ge-0/0/3 unit 0 family inet address 198.51.100.0/24
- 보안 영역을 trustZone 구성하고 untrustZone 인터페이스를 할당합니다.
[edit]
user@host# set security zones security-zone trustZone host-inbound-traffic system-services all
user@host# set security zones security-zone trustZone host-inbound-traffic protocols all
user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0
user@host# set security zones security-zone untrustZone host-inbound-traffic system-services all
user@host# set security zones security-zone untrustZone host-inbound-traffic protocols all
user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0
- 에서 untrustZone (으)로 trustZone보안 정책을 구성합니다.
[edit]
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match source-address any
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match destination-address any
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match application any
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then permit
user@host# set security policies default-policy deny-all
- 보안 화면을 구성하고 에 untrustZone연결합니다.
[edit]
user@host# set security screen ids-option untrustScreen tcp fin-no-ack
user@host# set security zones security-zone untrustZone screen untrustScreen
user@host# set security screen ids-option untrustScreen alarm-without-drop
- syslog를 구성합니다.
[edit]
user@host# set system syslog file syslog any any
user@host# set system syslog file syslog archive size 10000000
user@host# set system syslog file syslog explicit-priority
user@host# set system syslog file syslog structured-data
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-init
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-close
- 구성을 커밋합니다.
