ESR series service routers.ESR-Series. User manual
Command Description
ip firewall screen spy-blocking ip-
sweep
This command enables the protection against IP-sweep attacks. When the
protection is enabled, if more than 10 ICMP queries from one source arrive
within the specified interval, the first 10 queries are dropped by the router and
11th with the following ones are discarded for the remaining interval time. The
protection prevents an attacker from learning about network topology and hosts
availability.
ip firewall screen spy-blocking port-
scan
This command enables the protection against port scan attacks. If more than
10 TCP packets with the SYN flag arrive to several TCP ports and or more than
10 UDP packets arrive ti several UDP ports of one source within the first
specified interval (<threshold>), then this behavior is recorded as port scan
attack and all the following packets of that type are blocked for the second
specified time interval (<TIME>). An attacker will not be able to scan the device
open ports quickly.
ip firewall screen spy-blocking
spoofing
The given command enables the protection against ip spoofing attacks. When
the protection is enabled, the router checks packets for matching the source
address and routing table entries, and in case of mismatch the packet is
dropped. For example, if a packet with source address 10.0.0.1/24 arrives to the
Gi1/0/1 interface and the given subnet is located after the Gi1/0/2 interface in
the routing table, it is considered that the source address has been replaced.
Protects from network intrusions with replaced source IP addresses.
ip firewall screen spy-blocking syn-fin The given command enables the blocking of TCP packets, with the SYN and FIN
flags set. These packets are specialized and it is possible to determine a victim
operational system by the respond.
ip firewall screen spy-blocking tcp-all-
flag
This command enables the blocking of TCP packets, with all flags or with the
set of flags: FIN, PSH, URG. The protection against XMAS attack is provided.
ip firewall screen spy-blocking tcp-
no-flag
This command enables the blocking of TCP packets with the zero 'flags' field.
These packets are specialized and it is possible to determine a victim
operational system by the respond.
ip firewall screen suspicious-packets
icmp-fragment
The given command enables the blocking of fragmented ICMP packets. ICMP
packets are usually small and there is no need to fragment them.
ip firewall screen suspicious-packets
ip-fragment
The given command enables the blocking of fragmented packets.
ip firewall screen suspicious-packets
large-icmp
The given command enables the blocking of ICMP packets more than 1024
bytes.
ip firewall screen suspicious-packets
syn-fragment
This command enables the blocking of fragmented TCP packets with the SYN
flag. TCP packets with the SYN flag are usually small and there is no need to
fragment them. The protection prevents concentration of fragmented packets in
a buffer.
To Next Page
Loading...
