ESR series service routers.ESR-Series. User manual
Step Description Command Keys
25 Enable mechanism of espionage
activity detection and logging via CLI,
syslog and SNMP.
esr(config)# logging firewall
screen spy-blocking
{ <ATACK_TYPE> | icmp-type
<ICMP_TYPE> }
<ATACK_TYPE> – espionage
activity type, takes the following
values: fin-no-ack, ip-sweep, port-
scan, spoofing, syn-fin, tcp-all-flag,
tcp-no-flag.
<ICMP_TYPE> – ICMP type, takes
the following values: destination-
unreachable, echo-request,
reserved, source-quench, time-
exceeded.
26 Enable mechanism of specialized
packets detection and logging via CLI,
syslog and SNMP.
esr(config)#logging firewall
screen suspicious-packets
<PACKET_TYPE>
<PACKET_TYPE> – non-standard
packets type, takes the following
values: icmp-fragment, ip-fragment,
large-icmp, syn-fragment, udp-
fragment, unknown-protocols.
13.3.2 Description of attack protection mechanisms
Command Description
ip firewall screen dos-defense icmp-
threshold
This command enables the protection against ICMP flood attacks. When the
protection is enabled, the amount of all types ICMP packets per second for one
destination address is limited. The attack leads to the host reboot and its failure
due to the necessity to process each query and respond to it.
firewall screen dos-defense land This command enables the protection against land attacks. When the
protection is enabled, the packets with the same source and destination IP
addresses and with SYN flag in TCP header are blocked. The attack leads to the
host reboot and its failure due to the necessity to process each TCP SYN packet
and the attempts of the host to establish a TCP session with itself.
ip firewall screen dos-defense limit-
session-destination
When the host IP sessions table is overfilled, the host is unable to establish new
sessions and it drops the requests (this may happen during various DoS
attacks: SYN flood, UDP flood, ICMP flood, etc.). The command enables limiting
the number of packets transmitted per second per destination address, which
attenuates DoS attacks.
ip firewall screen dos-defense limit-
session-source
When the host IP sessions table is overfilled, the host is unable to establish new
sessions and it drops the requests (this may happen during various DoS
attacks: SYN flood, UDP flood, ICMP flood, etc.). The command enables limiting
the number of packets transmitted per second per source address, which
attenuates DoS attacks.
To Next Page
Loading...