Filter and Firewall
Left running head:
Chapter name (automatic)
746
Beta Beta
OmniAccess 5740 Unified Services Gateway CLI Configuration Guide
Alcatel-Lucent
TCP-XMAS-SCAN
tcp-xmas-scan
This frame should never be seen in normal TCP operation. Sometimes this is
done in preparation for a future attack, or sometimes it is done to see if the system
has a service which is susceptible to attack. A TCP frame has been seen with a
sequence number of zero and the FIN, URG, and PUSH bits all set. To avoid this
attack the above command is placed in the default DoS prevention list.
UDP-FRAGGLE-ATTACK
udp-fraggle-attack
When a perpetrator sends a large number of UDP echo (ping) traffic at IP
broadcast addresses, all of it having a fake source address, it causes system
crash or denial of service. This command is implicitly included in the default attack
prevention list to secure the system from this attack.
OPTIONAL ATTACKS
The following four DoS attacks are not set for prevention by default. These attacks
too can be either manually turned on for detection or filters can be applied to block
them.
ICMP-BLOCK-TRACE-ROUTE
icmp-block-trace-route
This command is not a default DoS setting. This attack is not set for protection by
default in the OmniAccess 5740 USG, but you can turn it on by explicitly adding
the above keyword in the user-defined attack prevention list.
ICMP-ROUTER-ADVERTISEMENT
icmp-router-advertisement
Remote attackers can spoof these ICMP packets and remotely add bad default-
route entries into a victims routing table. Since the victim's system would be
forwarding the frames to the wrong address, it will be unable to reach other
networks. This attack can be prevented by adding this command in the DoS
prevention list.
ICMP-REDIRECT
icmp-redirect
This command is not a default DoS setting. The above command can be included
in the DoS prevention list to avoid this kind of attacks.
To Next Page
Loading...
