Command Description
ip firewall screen spy-blocking icmp-
type source-quench
The given command enables the blocking of all 4 type ICMP packets (source
quench) including the packets generated by the router itself. The protection
prevents an attacker from learning about network topology and hosts
availability
ip firewall screen spy-blocking icmp-
type time-exceeded
The given command enables the blocking of all 11 type ICMP packets (time
exceeded) including the packets generated by the router itself. The protection
prevents an attacker from learning about network topology and hosts
availability
ip firewall screen spy-blocking ip-
sweep
This command enables the protection against IP-sweep attacks. When the
protection is enabled, if more than 10 ICMP queries from one source arrive
within the specified interval, the first 10 queries are dropped by the router and
11th with the following ones are discarded for the remaining interval time. The
protection prevents an attacker from learning about network topology and hosts
availability.
ip firewall screen spy-blocking port-
scan
This command enables the protection against port scan attacks. If more than
10 TCP packets with the SYN flag arrive to several TCP ports and or more than
10 UDP packets arrive ti several UDP ports of one source within the first
specified interval (<threshold>), then this behaviour is recorded as port scan
attack and all the following packets of that type are blocked for the second
specified time interval (<TIME>). An attacker will not be able to scan the device
open ports quickly.
ip firewall screen spy-blocking
spoofing
The given command enables the protection against ip spoofing attacks. When
the protection is enabled, the router checks packets for matching the source
address and routing table entries, and in case of mismatch the packet is
dropped. For example, if a packet with source address 10.0.0.1/24 arrives to the
Gi1/0/1 interface and the given subnet is located after the Gi1/0/2 interface in
the routing table, it is considered that the source address has been replaced.
Protects from network intrusions with replaced source IP addresses.
ip firewall screen spy-blocking syn-fin The given command enables the blocking of TCP packets, with the SYN and FIN
flags set. These packets are specialized and it is possible to determine a victim
operational system by the respond.
ip firewall screen spy-blocking tcp-all-
flag
This command enables the blocking of TCP packets, with all flags or with the
set of flags: FIN, PSH, URG. The protection against XMAS attack is provided.
ip firewall screen spy-blocking tcp-
no-flag
This command enables the blocking of TCP packets with the zero 'flags' field.
These packets are specialized and it is possible to determine a victim
operational system by the respond.
ip firewall screen suspicious-packets
icmp-fragment
The given command enables the blocking of fragmented ICMP packets. ICMP
packets are usually small and there is no need to fragment them.
ip firewall screen suspicious-packets
ip-fragment
The given command enables the blocking of fragmented packets.
To Next Page
Loading...
Need help?
General
