 |
netscreen 攻击防御命令介绍 |
|
|
| netscreen 攻击防御命令介绍 |
|
| 作者:佚名 文章来源:不详 点击数: 更新时间:2007-1-24 11:25:39 |
|
简单介绍一下screen配置命令,主要通过对协议的合法性、网络访问行为的规范性(行为分析)来判断是否存在攻击行为。
记得在web页面上不要选中第一个选项:log without drop
• alarm-without-drop Generates an alarm when detecting an attack, but does not block the attack. This option is useful if you allow the attack to enter a segment of your network that you have previously prepared to receive it—such as a honeynet蜜罐, which is essentially a decoy network with extensive monitoring capabilities.
检测到攻击时产生告警记录但并不阻止包的转发。启用该选项将占用一定的设备资源,具体资源占用取决于网络流量和攻击类型。该选项主要应用于网络流量识别、网络应用的baseline统计、测试等情况下,在网络应用和网络安全部署测试完成后,取消该配置选项。
• block-frag Enables IP packet fragmentation blocking.
阻断IP碎片包的转发,不向源端发送拒绝信息,对于正常的IP分片包也会被阻断。IP碎片攻击易导致系统崩溃或拒绝服务(一些系统无法处理碎片包总长度超过65535),如果分片之间偏移量经过精心构造,一些系统因无法处理而导致系统死机,漏洞的起因来自于重组的算法上。解决方法由防火墙重组、限制、关闭碎片包转发。
• component-block Selectively blocks HTTP traffic containing any of the following components:
- activex ActiveX controls
- java Java applets
- exe .EXE files
- zip ZIP files
An attacker can use any of these components to load an application (a Trojan Horse) on a protected host, then use the application to gain control of the host. If you enable the blocking of HTTP components without specifying which components, the NetScreen device blocks them all. Alternatively, you can configure the NetScreen device to block only specified components. Note: If you enable ActiveX-blocking, the NetScreen device also blocks packets containing Java applets, .exe files, and .zip files because they might be contained within an ActiveX control.
关闭ActiveX选项同时也关闭其余三项,企业核心应用中除非必要不建议启用该选项。
• fin-no-ack Detects an illegal combination of flags, and rejects packets that have them.
TCP连接拆除时fin置位但ACK没有同时置位,属于非正常拆链。会对系统带来安全隐患:1、有些系统会发送RST片段作为响应,有些则不会。这会给攻击者提供操作系统线索。2、攻击者在执行地址和端口扫描时躲避检测,以及通过执行 FIN 泛滥攻击来躲避对 SYN 泛滥攻击的防御部署建议:先检查网络应用,确认是否存在该类非常规的应用。
• icmp-flood [ threshold number ] Detects and prevents Internet Control Message Protocol (ICMP) floods. An ICMP flood occurs when ICMP echo requests are broadcast with the purpose of flooding a system with so much data that it first slows down, and then times out and is disconnected. The threshold defines the number of ICMP packets per second allowed to ping the same destination address before the NetScreen device rejects further ICMP packets. The range is 1 to 1,000,000.
ICMP协议在网络维护及PMTU发现等很多方面均发挥重要作用,因此不建议在设备上关闭ICMP协议,为有效解决ICMP Flood问题,建议在网络的边缘对ICMP协议做带宽限制。这样既能够充分利用ICMP协议也能拒绝攻击行为。
• icmp-fragment Detects and drops any ICMP frame with the More Fragments flag set, or with an offset indicated in the offset field.
ICMP分片,属于异常流量,可以考虑在必要时启用该项功能。
• icmp-large Detects and drops any ICMP frame with an IP length greater the 1024.
ICMP大包,属于异常流量,可以考虑在必要时启用该项功能。如果边缘网络设备能够处理这类比较易于判断的包,建议由边缘设备来分担一些攻击防护功能,形成分层防护机制。
• ip-bad-option Detects and drops any packet with an incorrectly formatted IP option in the IP packet header. The NetScreen device records the event in the SCREEN counters list for the ingress interface.
可以对IP包格式进行合法性检查,检查的依据主要根据最新的RFC协议规范来进行。可以对不符合规范要求的包进行丢弃处理。由于银行很多应用是自行研发的,所以无法严格要求用RFC协议规范来检查,因此不建议在银行网络中启用该功能。
• ip-filter-src Detects and drops all packets with the Source Route Option enabled. The Source Route Option can allow an attacker to use a false IP address to access a network, and receive returned traffic addressed to the real IP address of the attacker’s host device. The administrator can block all IP Source Routed frames having Strict Source Routing (or Loose Source Routing) enabled.
预先指定网络访问路径的数据包通常被认为是可疑的数据包,除非银行网络中有业务使用了该项技术。否则容许该项功能将为黑客的入侵攻击带来便利条件。
• ip-loose-src-route Detects packets where the IP option is 3 (Loose Source Routing) and records the event in the SCREEN counters list for the ingress interface. This option specifies a partial route list for a packet to take on its journey from source to destination. The packet must proceed in the order of addresses specified, but it is allowed to pass through other routers in between those specified.
同上,建议通过边缘接入路由器来关闭该功能
• ip-record-route Detects packets where the IP option is 7 (Record Route) and records the event in the SCREEN counters list for the ingress interface.
同上
• ip-security-opt Detects packets where the IP option is 2 (security) and records the event in the SCREEN counters list for the ingress interface.
IP option为2的包可以认为是可疑数据包,因为该选项没有什么具体应用。
• ip-spoofing Prevents spoofing attacks. Spoofing attacks occur when unauthorized agents attempt to bypass firewall security by imitating valid client IP addresses. Using the ip-spoofing option invalidates such false source IP address connections. Only NetScreen devices running in NAT or Route mode can use this option. The drop-no-rpf-route option instructs the NetScreen device to drop any packet that is not contained in the route table, for example, the device drops the packet if it does not contain a source route, or if the source IP address is reserved (non-routable, as with 127.0.0.1).
IP 欺骗:在封包包头中插入虚假的源地址,以使该封包看似发自信任来源。NetScreen 实现方式:1、接口工作在路由或 NAT 模式下时,检测 IP 欺骗的机制依赖于路由表条目(根据包的源地址在路由表中反向查找)。
如果封包中的源 IP 地址不在路由表中,则在缺省情况下 NetScreen 设备允许该封包通过 ( 如果有策略允许)。set zone zone screen ip-spoofing drop-no-rpf-route 可以指示 NetScreen 设备丢弃源 IP地址不在路由表中的任何封包,其中zone是封包始发区。
2、透明模式下,NS利用地址簿和zone以及接口的绑定关系来决定包是否带有欺骗性。
• ip-stream-opt Detects packets where the IP option is 8 (Stream ID) and records the event in the SCREEN counters list for the ingress interface.
IP option为8可以认为是可疑数据包,因为该选项没有什么具体应用。
• ip-strict-src-route Detects packets where the IP option is 9 (Strict Source Routing) and records the event in the SCREEN counters list for the ingress interface. This option specifies the complete route list for a packet to take on its journey from source to destination. The last address in the list replaces the address in the destination field.
严格源地址路由,可疑数据包
ip-sweep threshold number Detects and prevents an IP Sweep attack. An IP Sweep attack occurs when an attacker sends ICMP echo requests (pings) to multiple destination addresses. If a target host replies, it reveals the target’s IP address to the attacker. Set the IP Sweep threshold to between 1 and 1,000,000 microseconds. Each time ICMP echo requests occur with greater frequency than this limit, the NetScreen device drops further echo requests from the remote source address.
IP地址扫描攻击,当一个源 IP 地址在规定的时间间隔 ( 缺省值为 5000 微秒=0.005秒) 内将 10 个 ICMP 封包发送给不同的主机时,即进行了一次地址扫描,后续的ICMP封包将会被丢弃。
• ip-timestamp-opt Detects packets where the IP option list includes option 4 (Internet Timestamp) and records the event in the SCREEN counters list for the ingress interface.
记录每跳路径时间戳的IP包,疑似攻击包
• land Prevents Land attacks by combining the SYN flood defense mechanism with IP spoofing protection. Land attacks occur when an attacker sends spoofed IP packets with headers containing the target’s IP address for both the source and destination IP addresses. The attacker sends these packets with the SYN flag set to any available port. This induces the target to create empty sessions
with itself, filling its session table and overwhelming its resources.
陆地攻击:将SYN攻击和IP欺骗有机结合在一起。受害主机给自己发送 SYN-ACK 封包来进行响应,同时创建一个空的连接,该连接将会一直保持到达到空闲超时值为止。向系统堆积过多的这种空连接会耗尽系统资源,导致 DoS攻击。NS实现方法:检查源/目的地址是否相同,源地址是否存在IP欺骗,是否存在SYN攻击。
• limit-session [ source-ip-based number | destination-ip-based number ] Limits the number of concurrent sessions the device can initiate from a single source IP address, or the number of sessions it can direct to a single destination IP address. By default, the limit is 128 sessions. Limit value range is 1 to 49,999.
DOS攻击:限定基于源或目的地址的单位时间转发包数量,限制目的地址将会对正常业务带来影响。如果源地址非常分散,将造成DDOS攻击,很难防范。设置的阀值应根据平时的baseline得出(扩大10-20%)。
• mal-URL [ name_str id_str number | code-red ] Sets up a filter that scans HTTP packets for suspect URLs. The NetScreen device drops packets that contain such URLs. The code-red switch enables blocking of the Code Red worm virus. Using the name_str option works as follows.
- name_str A user-defined identification name.
- id_str Specifies the starting pattern to search for in the HTTP packet. Typically, this starting pattern begins with the HTTP command GET, followed by at least one space, plus the beginning of a URL. (The NetScreen device treats multiple spaces between the command “GET” and the character “/” at the start of the URL as a single space.)
- number Specifies a minimum length for the URL before the CR-LF.
• ping-of-death Detects and rejects oversized and irregular ICMP packets. Although the TCP/IP specification requires a specific packet size, many ping implementations allow larger packet sizes.This can trigger a range of adverse system reactions including crashing, freezing, and restarting.
Ping超过65535大小的IMCP包,将会造成一些系统的宕机。目前基本上主流的操作系统均已修复这项漏洞,这样的安全隐患比较少。
port-scan threshold number Prevents port scan attacks. A port scan attack occurs when an attacker sends packets with different port numbers to scan available services. The attack succeeds if a port responds. To prevent this attack, the NetScreen device internally logs the number of different ports scanned from a single remote source. For example, if a remote host scans 10 ports in 0.005 seconds
(equivalent to 5000 microseconds, the default threshold setting), the NetScreen device flags this as a port scan attack, and rejects further packets from the remote source. The port-scan threshold number value determines the threshold setting, which can be from 1000 to 1,000,000 microseconds.
端口扫描,类似IP扫描
• syn-ack-ack-proxy Prevents the SYN ACK ACK attack. Such an attach occurs when the attacker establishes multiple Telnet sessions without allowing each session to terminate. This consumes all open slots, generating a Denial of Service condition.
• syn-fin Detects an illegal combination of flags attackers can use to consume sessions on the target device, thus resulting in a denial of service.
不合规范的IP包(往往在标志位上做文章)
• syn-flood Detects and prevents SYN flood attacks. Such attacks occur when the connecting host continuously sends TCP SYN requests without replying to the corresponding ACK responses.
- alarm-threshold number Defines the number of proxied, half-complete connections per second at which the NetScreen device makes enteries in the event alarm log.
- attack_threshold number Defines the number of SYN packets per second required to trigger the SYN proxying mechanism.
- destination-threshold number Specifies the number of SYN segments received per second for a single destination IP address before the NetScreen device begins dropping connection requests to that destination. If a protected host runs multiple services, you might want to set a threshold based on destination IP address only-regardless of the destination port number.
- drop-unknown-mac Drops packets when they contain unknown destination MAC addresses.
- queue-size number Defines the number of proxied connection requests held in the proxied connection queue before the system starts rejecting new connection requests.
- source-threshold number Specifies the number of SYN segments received per second from a single source IP address (regardless of the destination IP address and port number) before the NetScreen device begins dropping connection requests from that source.
- timeout number Defines the maximum length of time before a half-completed connection is dropped from the queue. You can set it between 1 and 50 seconds.
syn-frag Detects a SYN fragment attack, and drops any packet fragments used for the attack. A SYN fragment attack floods the target host with SYN packet fragments. The host caches these fragments,waiting for the remaining fragments to arrive so it can reassemble them. By flooding a server or host with connections that cannot be completed, the host’s memory buffer eventually fills. No further connections are possible, and damage to the host’s operating system can occur.
著名的syn-flood攻击防御,参数比较多,具体参数大小需要结合平常session数量设置。建议放大20%余量。
• tcp-no-flag Drops an illegal packet with missing or malformed flags field.
丢弃不含或含不规范标志位的TCP包
• tear-drop Blocks the Teardrop attack. Teardrop attacks occur when fragmented IP packets overlap and cause the host attempting to reassemble the packets to crash. The tear-drop option directs theNetScreen device to drop any packets that have such a discrepancy.
利用一些OS存在IP碎片重组算法漏洞,当碎片偏移量被认为设置时,易导致操作系统崩溃。
• udp-flood threshold number UDP flooding occurs when an attacker sends UDP packets to slow down the system to the point that it can no longer process valid connection requests. The threshold number parameter is the number of packets allowed per second to the same destination IP address/port pair. When the number of packets exceeds this value within any one-second period, the NetScreen device generates an alarm and drops subsequent packets for the remainder of that second. The valid range is from 1 to 1,000,000.
Udp-flood 防护,如果网络中没有主用的UDP程序,建议可以将该值设的低一些,可以减少带宽和session的占用。
• unknown-protocol Discards all received IP frames with protocol numbers greater than 135. Such protocol numbers are undefined or reserved.
丢弃协议号未知的数据包
• winnuke Detects attacks on Windows NetBios communications, modifies the packet as necessary, and passes it on. (Each WinNuke attack triggers an attack log entry in the event alarm log.)
使用TCP445端口的病毒程序【转自世纪安全网 http://www.21safe.com】
|
|
| 文章录入:admin 责任编辑:admin |
|
|
上一篇文章: 如何使用脚本重新设置数字格式?
下一篇文章: 用Snort巧妙检测SQL注入和跨站脚本攻击 |
|
|
| 【字体:小 大】【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 |
|
|
 网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!) |
|
|
|
|
|
