Example: Blocking Packets with No Flags Set

This example shows how to create a screen to block packets with no flags set.

Requirements

Before you begin, understand how a TCP header with no flags set works. See Understanding TCP Header with No Flags Set.

Overview

A normal TCP segment header has at least one flag control set. A TCP segment with no control flags set is an anomalous event. Because different operating systems respond differently to such anomalies, the response (or lack of response) from the targeted device can provide a clue as to the type of OS it is running.

When you enable the device to detect TCP segment headers with no flags set, the device drops all TCP packets with a missing or malformed flags field.

In this example, you create a screen called screen-1 to block packets with no flags set.

Configuration

Step-by-Step Procedure

To block packets with no flags set:

  1. Configure the screen.
    [edit ]user@host# set security screen ids-option screen-1 tcp tcp-no-flag
  2. Enable the screen in the security zone.
    [edit ]user@host# set security zones security-zone zone-1 screen screen-1
  3. If you are done configuring the device, commit the configuration.
    [edit]user@host# commit

Verification

To verify the configuration is working properly, enter the show security screen command.

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.