JNCIS-SEC [ SCREEN ]
Screen is an option that you can use to prevent some sort of attacks. Once enabled, screen check is performed prior to any other check according to the packet flow diagram. For an attack to take place, several stages have to be taken;
Reconnaissance
IP Address Sweep
This is used to know the layout of the targeted network and generally used in a way one source IP address sends ICMP packets to different hosts.
Port Scanning
Source IP sends IP packets containing TCP SYN segments to different ports at the same destination IP address. It is to scan services of the destination host.
IP Options
It is for some special routing controls, diagnostic tools but they are very seldom.
OS Probes
Because different OSs respond differently to anomalous traffic, response to this sort of traffic can give information about the target host.
Exploit
Denial of Service Attacks
* Session table flood
* SYN-ACK-ACK proxy flood
* SYN flood
* SYN cookie
* ICMP flood
* UDP flood
* LAND attack
* Ping of Death
* Teardrop
* Winnuke
TIP:
To enable SCREEN in monitoring mode without any blocking, use the following method
[edit security screen]
root@host# show
ids-option test-screen {
alarm-without-drop;
}
IP Address Sweep and TCP Port Scan Defense
[edit security screen]
root@host# show
ids-option test-screen {
icmp {
ip-sweep threshold 6000;
}
tcp {
port-scan threshold 6000;
}
}
Configuration above says that
a) if a remote host sends ICMP traffic to 10 address within 6000 microseconds (0.006 sec) and address sweep attack is flagged
b) If a remote host scans 10 ports within 6000 microseconds, a port scan attack is flagged
a) if a remote host sends ICMP traffic to 10 address within 6000 microseconds (0.006 sec) and address sweep attack is flagged
b) If a remote host scans 10 ports within 6000 microseconds, a port scan attack is flagged
To activate these screens you must apply it within a security zone like below;
[edit security zones security-zone trust]
root@host# show
screen test-screen;
IP Options Defense
[edit security screen]
root@host# show
ids-option test-screen {
icmp {
ip-sweep threshold 6000;
}
ip {
record-route-option;
timestamp-option;
security-option;
stream-option;
}
tcp {
port-scan threshold 6000;
}
}
Operating System Probe Defense
To react to certain TCP anomalies like;
* both SYN and FIN flags set
* FIN flag set and ACK flag not set
* no flags set
* both SYN and FIN flags set
* FIN flag set and ACK flag not set
* no flags set
[edit security screen]
root@host# show
ids-option test-screen {
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
}
}
IP Spoofing Defense
Junos compares the source IP address of an incoming packet with the closes prefix match found in its forwarding table. If the interface associated is different from the ingress interface of the packet, Junos discards the packet.
[edit security screen]
root@host# show
ids-option test-screen {
ip {
spoofing;
}
}
IP source router option defense
To block packets upon detection
[edit security screen]
root@host# show
ids-option test-screen {
ip {
source-route-option;
}
}
To record packets upon detection
[edit security screen ids-option test-screen]
root@host# show
ip {
loose-source-route-option;
strict-source-route-option;
}
Session Table Flood Defense
In Junos you can set up;
* source-based session limit
* source-based session limit
* destination-based session limit
[edit security screen]
root@host# show
ids-option test-screen {
limit-session {
source-ip-based 30;
destination-ip-based 30;
}
}
The number 30 in this config stands for the number of sessions.
SYN-ACK-ACK Proxy Flood Defense
Junos can be a proxy for TCP connections and detect SYN-ACK-ACK sessions. To limit the number of concurrent sessions from a single source;
[edit security screen]
root@host# show
ids-option test-screen {
tcp {
syn-ack-ack-proxy threshold 300;
}
}
SYN Flood defense
Junos can limit the number of SYN segments per second. Attack threshold can be set based on destination address, source address or both.
[edit security screen ids-option test-screen]
root@host# show
tcp {
syn-flood {
alarm-threshold 50;
attack-threshold 90;
source-threshold 45;
destination-threshold 45;
timeout 20;
}
}
alarm-threshold: number of proxied,half-complete TCP connection requests per second before an alarm logs
attack-threshold: number of SYN requests per second required to trigger SYN proxy mechanism.
attack-threshold: number of SYN requests per second required to trigger SYN proxy mechanism.
source-threshold: number of SYN requests received from a single source per second
destination-threshold: number of SYN requests received for a single destination per second
timeout: maximum length of time before a half-completed connection drop from the queue.
SYN-Cookie
[edit security]
root@host# show
flow {
syn-flood-protection-mode syn-cookie;
}
ICMP and UDP attack defense
[edit security screen]
root@host# show
ids-option test-screen {
icmp {
flood threshold 50;
}
udp {
flood threshold 100;
}
}
Land Attack Defense
[edit security screen]
root@host# show
ids-option test-screen {
tcp {
land;
}
}
Several DoS Attacks
Ping of Death: Uses oversized ICMP packet (larger than 65,536 bytes)
Teardrop: Exploit the reassembly of fragmented IP packets.
WinNuke: Sending a TCP segment usually to Netbios port 139 with the urgent flag set.Defense Method
Teardrop: Exploit the reassembly of fragmented IP packets.
WinNuke: Sending a TCP segment usually to Netbios port 139 with the urgent flag set.Defense Method
[edit security screen]
root@host# show
ids-option test-screen {
icmp {
ping-death;
}
ip {
tear-drop;
}
tcp {
winnuke;
}
}ICMP attacks
Typically, ICMP packets are very short and not supposed to be big and not fragmented.ICMP Defense
The following configuration enables blocking of fragmented ICMP packets along with packets larger than 1024 bytes.
The following configuration enables blocking of fragmented ICMP packets along with packets larger than 1024 bytes.
[edit security screen]
root@host# show
ids-option test-screen {
icmp {
fragment;
large;
}
}IP Packet Fragments and Bad IP address options defense:
Once this screen is set, Junos drops all IP packet fragments or packets with incorrectly formatted IP options.
For IP fragments, it checks whether more fragment (M) field is set or a nonzero value is in the fragment offset field.
[edit security screen]
root@host# show
ids-option test-screen {
ip {
bad-option;
block-frag;
}
}
Unknown Protocols Defense
If the IP protocol field is 137 or greater, that means something is unexpected.
[edit security screen]
root@host# show
ids-option test-screen {
ip {
unknown-protocol;;
}
}
SYN Fragments Defense
Because SYN segment in an IP packet is to initiate a connection, it shouldn’t contain any data or be fragmented. So this screen blocks segments if it detects more fragment or non-zero offset value.
[edit security screen]
root@host# show
ids-option test-screen {
tcp {
syn-frag;
}
}
Attack Monitoring
To display statistics of screen operations
root@host> show security screen statistics zone trust
Screen statistics:
IDS attack type Statistics
ICMP flood 0
UDP flood 0
TCP winnuke 0
TCP port scan 0
ICMP address sweep 0
TCP sweep 0
UDP sweep 0
IP tear drop 0
TCP SYN flood 0
IP spoofing 2636466
ICMP ping of death 0
IP source route option 0
TCP land attack 95
TCP SYN fragment 0
TCP no flag 0
IP unknown protocol 0
IP bad options 0
IP record route option 0
IP timestamp option 0
IP security option 0
IP loose source route option 0
IP strict source route option 0
IP stream option 0
ICMP fragment 0
ICMP large packet 0
TCP SYN FIN 0
TCP FIN no ACK 0
Source session limit 0
TCP SYN-ACK-ACK proxy 0
IP block fragment 0
Destination session limit 0
To display screen related info
root@host> show security screen ids-option test-screen
Screen object status:
Name Value
IP spoofing enabled
TCP land attack enabledTracing
[edit security screen]
root@host# show
traceoptions {
file screen.log;
flag all;
}
OFF JNCIS-SEC
Here is an JNCIS-SEC off topic command.
root@host> show security monitoring fpc 0
FPC 0
PIC 0
CPU utilization : 100 %
Memory utilization : 85 %
Current flow session : 49151
Max flow session : 49152
