Dos classification for juniper Protection Detection

Dos classification for juniper Protection Detection

Juniper DOS Classification

I. Network dos

1. SYN Flood

Use three-way handshakes for spoofing attacks

A sends SYN fragments to B, B uses SYN/ACK fragments for response, and A uses ACK fragments for response.

The source ip address contained in the SYN segment sent by A is inaccessible, so the response sent by B times out, thus forming A SYN Flood attack, the host memory buffer will be filled up, and the host will not be able to process new tcp connection requests, causing system failure to work properly.

Enable syn Flood Protection

Set zone screen syn-flood

Number of syn fragments sent per second (based on actual conditions)

Set zone screen syn-flood attack-threshold number

An alert is triggered when the nth connection request is sent per second.

Set zone screen syn-flood alarm-theshold number

Sets the number of syn fragments received from a single source ip address per second.

Set zone screen syn-flood source-threshold number

Number of SYN fragments received from a single destination IP address per second

Set zone screen syn-flood destination-threshold number

Sets the maximum time before half of the connections in the discard queue are completed.

Set zone screen syn-flood timeout number

Number of proxy connection requests in the proxy connection queue before the security device starts a new connection

Set zone screen syn-flood queue-size number

If the specified destination mac address is not in the security settings mac or note table, the syn packet is discarded (this function is not supported in transparent mode)

Set zone screen syn-flood drop-unknown-mac

2. ICMP flood

That is, a large number of icmp requests are used per second, so that the victim consumes all the resources for the corresponding operation. Unable to process other connections.

Icmp flood protection

Set zone screen icmp-flood threshold number

Set zone screen icmp-flood

3. UDP flood

When a large number of ip packets containing UDP datagram are sent, the victim cannot process valid connections.

Udp flood protection

Set zone screen udp-flood threshold number

Set zone screen udp-flood

4. Land attacks

When syn attacks and ip spoofing are combined, attackers send fraudulent SYN packets containing the ip addresses of the victims as the destination and source ip addresses, and then initiate a land attack. The victim sends a SYN-ACK packet to himself to respond, and creates an empty connection that will remain until the space timeout value is reached. Too many empty connections consume system resources, resulting in denial of service.

Land Protection

Set zone screen land

Ii. OS-related DOS Attacks

1. ping of death ping

The maximum ip address is 65535 bytes.

Normal icmp data packets include:

Ip header: 20 bytes, icmp header: 8 bytes, icmp data: up to 65507 bytes

Attack Data Packets:

Ip header: 20 bytes, icmp header: 8 bytes, icmp data: 65510 bytes

The size of 65510 bytes exceeds the normal size of 65507 bytes. When packets are transmitted, they are divided into many fragments. The reorganization process may cause the receiving system to crash.

Enable death ping protection:

Set zone screen ping-death

2. Teardrop

A tear-down attack uses ip packet fragmentation. In the ip header, offset the fields in a shard. When the Receiver performs a packet, when the sum of the Offset Value and size of a shard is different from the next packet Shard, the packet overlaps, and the receiver tries to re-combine the packet, it will cause the system to crash, this is especially true for systems that have not been patched by the old system.

Example:

First packet:

Offset: 0 ip header: 20 Data: 800 length 820 more fragments: 1

Second package:

Offset: 800 ip header: 20 Data: 600 length 620 more fragments: 0

The starting position of the second packet fragment is 20 bytes ahead of the Ending position of the first fragment. Fragment 2 and

The package length of fragment 1 is inconsistent. This difference causes some systems to crash when attempting to restructure.

Enable tear-down attack teardrop Protection

Set zone screen tear-drop

3. WinNuke

Dos attacks against windows computers. Sends the tcp segment to

NetBIOS port 139 has a host with a alive connection. In this way, NetBIOS Fragments Overlap, resulting in

The machine running windows crashes.

Enable WinNuke Protection

Set zone screen winnuke