Configuring IP Sweep Attack Screen
This topic describes how to configure detection of an IP sweep attack.
An address sweep occurs when one source IP address sends a defined number of ICMP packets to different hosts within a defined time interval (5000 microseconds is the default value). The purpose of this attack is to send ICMP packets—typically echo requests—to various hosts in the hope that at least one replies, thus uncovering an address to target.
Configure the security screen option and attach it to the untrustZone as follows:
[edit] user@host# set security screen ids-option untrustScreen icmp ip-sweep user@host# set security screen ids-option untrustScreen alarm-without-drop user@host# set security zones security-zone untrustZone screen untrustScreen