Configuring TCP Land Attack Screen
This topic describes how to configure detection of a TCP land attack.
Land attacks occur when an attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and the source IP address.
To enable detection of a TCP land attack:
- Configure interfaces and assign IP addresses to the interfaces.
[edit] user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.0.2.0/24 user@host# set interfaces ge-0/0/3 unit 0 family inet address 198.51.100.0/24
- Configure security zones trustZone and untrustZone and assign interfaces
to them.
[edit] user@host# set security zones security-zone trustZone host-inbound-traffic system-services all user@host# set security zones security-zone trustZone host-inbound-traffic protocols all user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0 user@host# set security zones security-zone untrustZone host-inbound-traffic system-services all user@host# set security zones security-zone untrustZone host-inbound-traffic protocols all user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0
- Configure security policies from untrustZone to trustZone.
[edit] user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match source-address any user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match destination-address any user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match application any user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then permit user@host# set security policies default-policy deny-all
- Configure security screens and attach them to untrustZone.
[edit] user@host# set security screen ids-option untrustScreen tcp land user@host# set security zones security-zone untrustZone screen untrustScreen
- Configure syslog.
[edit] user@host# set system syslog file syslog any any user@host# set system syslog file syslog archive size 10000000 user@host# set system syslog file syslog explicit-priority user@host# set system syslog file syslog structured-data user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-init user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-close
- Commit the configuration.
[edit] user@host# commit