DOS Classification for Juniper Protection detection

Juniper DOS Classification

First, the network DOS

1.SYN flooding

Use three handshake for spoofing attacks

A sends a SYN fragment to B, B responds with a syn/ack fragment, and a responds with an ACK fragment.

The source IP in the Syn fragment sent by this is an unreachable address, so the response sent by B will time out,

This creates a SYN flooding attack that fills the host memory buffer and the host will not be able to handle the new

A TCP connection request caused a system failure to function correctly.

Enable SYN flood protection

Set Zone Zone screen Syn-flood

Number of SYN fragments sent per second (limited by actual situation)

Set Zone Zone screen syn-flood attack-threshold number

An alert is triggered when the nth connection request is sent per second

Set Zone Zone screen syn-flood alarm-theshold number

Set the number of SYN fragments received per second from a single source IP

Set Zone Zone screen syn-flood source-threshold number

Number of SYN fragments received per second from a single destination IP address

Set Zone Zone screen syn-flood destination-threshold number

Sets the maximum time before half of the connection in the drop queue is completed.

Set Zone Zone screen syn-flood timeout number

The number of proxy connection requests for the agent connection queue before the security appliance starts a new connection

Set Zone Zone screen syn-flood queue-size number

The specified destination MAC address is not in the security settings Mac or the known table, and the SYN packet is discarded (transparent mode does not support

This feature)

Set Zone Zone screen Syn-flood Drop-unknown-mac

2.ICMP flooding

is to use a large amount of ICMP per second, so that the victim consumes all the resources to do accordingly. Cause it can't be handled

Connection processing.

ICMP flood protection

Set Zone Zone screen icmp-flood threshold number

Set Zone Zone screen Icmp-flood

3.UDP flooding

Sending a large number of IP packets containing UDP datagrams, causing the victim to not be able to handle a valid connection.

UDP flood protection

Set Zone Zone screen udp-flood threshold number

Set Zone Zone screen Udp-flood

4. Land attack

Combining SYN attacks and IP spoofing, an attacker sends the victim an IP address that contains the victim's deceptive

The SYN packet, which is used as the destination and source IP address, has a land attack. The victim will send it to himself.

The Syn-ack packet responds while creating an empty connection that will remain until the space is reached

Timeout value. Such empty connections accumulate too much to drain system resources and cause any service to be denied.

Land protection

Set Zone Zone screen land

Second, operating system-related Dos attacks

1.ping of death Death Ping

The maximum IP packet is 65535 bytes.

The normal ICMP data packets include:

IP header: 20 bytes, ICMP header: 8 bytes, ICMP data: Maximum 65507 bytes

Attack-type data packets:

IP header: 20 bytes, ICMP header: 8 bytes, ICMP data: 65510 bytes

65510 exceeds the normal 65507 bytes, when the packet is transmitted, it is decomposed into a lot of fragments, the reorganization process may

Causes the receiving system to crash.

Turn on death Ping Protection:

Set Zone Zone screen Ping-death

2.Teardrop Tear drops attack

Tear drops utilize the reassembly of IP packet fragments. In the IP header, fragment the fields in one fragment

Offset. When a recipient makes a packet, the offset value of a fragment differs from the size of the next packet fragment

, packets overlap, and the receiver tries to regroup the packets, causing the system to crash, especially if the old system does not

This is especially true for systems that have hit the patch.

Example:

First packet:

Offset: 0 IP Header: 20 data: 800 Length 820 more shards: 1

Second packet:

Offset: IP Header: 20 data: 600 length 620 more fragments: 0

The start position of the second packet fragment 800 is 20 bytes ahead of the end of the first fragment. Fragments 2 and

The packet length of fragment 1 is inconsistent. This difference causes some systems to crash when they try to regroup.

Enable Tear drop Attack teardrop protection

Set Zone Zone screen Tear-drop

3.WinNuke

Dos attacks against Windows computers. The TCP fragment is sent to the emergency Urg flag.

NetBIOS port 139 has a host of surviving connections. This creates a NetBIOS fragment overlap, which causes

The machine running Windows crashes.

Enable WinNuke protection

Set Zone Zone screen WinNuke

This article is from "Yangdong Hao" blog, please make sure to keep this source http://506554897.blog.51cto.com/2823970/1630093

DOS Classification for Juniper Protection detection