ESR series service routers.ESR-Series. User manual
Command Description
ip firewall screen dos-defense syn-
flood
This command enables the protection against SYN flood attacks. When the
protection is enabled, the amount of TCP packets with the SYN flag set per
second for one destination address is limited. The attack leads to the host
reboot and its failure due to the necessity to process each TCP SYN packet and
the attempts to establish a TCP session.
ip firewall screen dos-defense udp-
threshold
This command enables the protection against UDP flood attacks. When the
protection is enabled, the amount of UDP packets per second for one
destination address is limited. The attack lead to the host reboot and its failure
due to the massive UDP traffic.
ip firewall screen dos-defense
winnuke
This command enables the protection against winnuke attacks. When the
protection is enabled, TCP packets with the URG flag set and 139 destination
port are blocked. The attack leads to the older Windows versions (up to 95
version) failure.
ip firewall screen spy-blocking fin-no-
ack
The given command enables the blocking of TCP packets with the FIN flag set
and the ACK flag not set. These packets are specialized and it is possible to
determine a victim operational system by the respond.
ip firewall screen spy-blocking icmp-
type destination-unreachable
The given command enables the blocking of all 3 type ICMP packets
(destination-unreachable) including the packets generated by the router itself.
The protection prevents an attacker from learning about network topology and
hosts availability.
ip firewall screen spy-blocking icmp-
type echo-request
The given command enables the blocking of all 8 type ICMP packets (echo-
request) including the packets generated by the router itself. The protection
prevents an attacker from learning about network topology and hosts
availability.
ip firewall screen spy-blocking icmp-
type reserved
The given command enables the blocking of all 2 and 7 type ICMP packets
(reserved) including the packets generated by the router itself. The protection
prevents an attacker from learning about network topology and hosts
availability.
ip firewall screen spy-blocking icmp-
type source-quench
The given command enables the blocking of all 4 type ICMP packets (source
quench) including the packets generated by the router itself. The protection
prevents an attacker from learning about network topology and hosts
availability.
ip firewall screen spy-blocking icmp-
type time-exceeded
The given command enables the blocking of all 11 type ICMP packets (time
exceeded) including the packets generated by the router itself. The protection
prevents an attacker from learning about network topology and hosts
availability.
To Next Page
Loading...