Академический Документы
Профессиональный Документы
Культура Документы
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Chapter Objectives
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-2
Agenda: SCREEN Options
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-3
Networks Are Under Attack
Compromised PC, U-turn
attack, hijacked remote session
Telecommuter
Business
partner
Internet Regional
office
Worms, viruses,
Trojan attacks
Unauthorized
DMZ WLAN user
Wireless
network
Human
resources Internal attacks:
roaming,
Finance malicious users
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-4
Points of Vulnerability = Points of Control
Remote Access
Telecommuter
Business
Partner
Internet Regional
office
DMZ
Wireless
Network
Human
Resources
LAN Data Center or Core
Finance
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-6
Attack Detection and Prevention
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-8
Review: Packet Flow
Focus of this chapter
Flow Module
Session-based SCREEN
D-NAT Route Zones Policy S-NAT Services Session
Options ALG
No First Path
Event Scheduler
Ingress Egress
Packet Packet
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-9
Agenda: SCREEN Options
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-10
Stages of an Attack
IP address sweep
Port scanning
IP options
OS probes
Evasion techniques
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-12
Types of Attack: Denial of Service
Forms of DoS:
•Router and firewall DoS
• Session table flood
• SYN-ACK-ACK proxy flood
•Network DoS
• SYN flood
• SYN cookie Internet
• ICMP flood
• UDP flood
• LAND attack
•Device DoS Web Server
• Ping of Death
• Teardrop
• WinNuke
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-14
Types of Attacks: Suspicious Packets
Suspicious packets:
•ICMP abnormalities
•Bad IP options
•Unknown protocols
•IP packet fragments
•SYN fragments
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-15
Agenda: SCREEN Options
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-16
SCREEN Options—Best Practices
Best practice suggestions:
•Prior to implementing SCREEN options, you should know:
• Legitimate applications and their behavior
• Legitimate traffic patterns
•Failure to understand legitimate traffic patterns can lead to
malfunctioned networks and unhappy users
•Deploy SCREEN options only in vulnerable zones
•Can use alarm-without-drop statement to test the
configured SCREEN values prior to full deployment, ensuring
proper legitimate traffic handling:
[edit security screen]
user@host# show
ids-option ids-option-name {
alarm-without-drop;
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-17
IP Address Sweep and Port Scan
The attack:
•Send ICMP packets or SYN segments to various hosts within
a predefined period of time, hoping that one replies
•Once a host or port replies, the target is uncovered
The defense:
•Drop all ICMP traffic from a source after:
• >10 ICMP packets sent within configurable time threshold
• Drop all traffic from a source after:
• >10 ports scanned within configurable time threshold
•Both thresholds are configurable, ranging from 1000 to
1,000,000 microseconds (default is 5000)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-18
IP Address Sweep and Port Scan—
SCREEN Options ICMP packets or
TCP SYN
segments
Finance Server
Internet
Data Server
If security policy permits ICMP traffic, Enable the port scanning detection
enable the IP address sweep SCREEN SCREEN option:
option:
[edit security screen]
user@host# show
[edit security screen]
ids-option ids-option-name {
user@host# show
tcp {
ids-option ids-option-name {
port-scan threshold microseconds;
icmp {
}
ip-sweep threshold microseconds;
}
}
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-20
IP Options
The attack:
•Cause problems to network devices and networks by
abusing the options field of an IP packet—the record route,
timestamp, security, and stream ID fields
The defense:
•Track packets that use any of these options
•Flag these packets as a network reconnaissance attack
•Record the events and the corresponding ingress interface
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-21
IP Options—SCREEN Options
Version Header Type of Service Total Packet Length
Source Address
Destination Address
Options
Payload
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-22
Operating System Probes
The attack:
•Probe the targeted host, trying to learn its operating system
•Use OS information to exploit known vulnerabilities
The defense:
•Detect SYN and FIN flags set in TCP segments
•Detect TCP segments with the FIN flag set without the ACK
flag
•Detect a TCP segment without any flags set
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-23
Operating System Probes—
SCREEN Options
16-bit source port number 16-bit destination port number
U A P R S F
4-bit
Reserved R C S S Y I 16-bit window size
header
G K H T N N
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-24
IP Spoofing
The attack:
•Invade networks by making the packets appear as if they
come from a trusted source
The defense:
•Compare the source IP address of an incoming packet with
the closest prefix match found in the forwarding table
• If the prefix was not learned from the ingress interface of the
incoming packet, consider the packet to be an IP spoof attack
• Deny those packets
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-25
IP Spoofing—SCREEN Option
S.A. is part of 168.10.10/24 range
Private Zone
…SA=168.10.10.1…
Finance Server
ge-1/0/0 168.10.10/24
Internet
…SA=168.10.10.1… Payload
Data Server
Forwarding Table
Enable the IP spoofing detection SCREEN option:
[edit security screen] Network Interface Gateway
user@host# show
ids-option ids-option-name { 168.10.10/24 ge-0/0/1 direct
ip {
168.10.10.224/27 ge-0/0/0 direct
spoofing;
} 0.0.0.0 ge-1/0/0 direct
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-26
IP Source Route Options
The attack:
•Hide the true source address
•Access restricted areas of a network by specifying a
different route
The defense:
•Block any packets with loose or strict source route options
settings
—OR—
•Detect those options as being set and record them
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-27
IP Source Route Options—SCREEN Options
External Zone
Permit traffic
3.3.3/24 originating from
source 5.5.5/24
Finance Server
Internet
ge-1/0/0
5.5.5/24
SCREEN option:
Deny IP traffic Data Server
with source route
option set
…SA=5.5.5.100… Payload
Enable the IP source route option detection
Enable the IP source route option SCREEN option to record packets upon
detection SCREEN option to block detection:
packets upon detection: [edit security screen]
[edit security screen] Blocks user@host# show Detects
user@host# show ids-option ids-option-name {
ids-option ids-option-name { ip {
ip { loose-source-route-option;
source-route-option; strict-source-route-option;
} }
} }
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-28
Agenda: SCREEN Options
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-29
DoS Attacks—Goals and Categories
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-30
Firewall and Router Device DoS—
Session Table Flood
The attack:
•Session table floods can take many forms—SYN flood, ICMP
flood, UDP flood, and so forth
The defense:
•Limit source-based number of concurrent sessions
•Limit destination-based number of concurrent sessions
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-32
Session Table Flood—SCREEN Option
Limit the number of concurrent sessions based on
either the source IP address, the destination IP
address, or both:
•Set source-based session limit to prevent a DoS attack
• Default is 128; range is dependant upon device
•Set destination-based session limit to prevent a DDoS
attack
• Default is 128; range is dependant upon device
Enable the session table flood SCREEN option to prevent DoS attacks on
firewall or router devices:
[edit security screen]
user@host# show
ids-option ids-option-name {
limit-session {
source-ip-based number-of-sessions;
destination-ip-based number-of-sessions;
}
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-33
Firewall and Router Device DoS—
SYN-ACK-ACK Proxy Flood
6 ACK
7 Send login prompt
8 SYN
9 SYN/ACK
10 ACK
...
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-34
SYN-ACK-ACK Proxy Flood—SCREEN Option
The defense:
•Be a proxy for TCP connections, thereby detecting
SYN-ACK-ACK sessions
•Set SYN-ACK-ACK proxy threshold from an address
• Default is 512 connections; range is between 1 and 250,000
•Limit the number of concurrent TCP sessions from a single
source:
Enable the SYN-ACK-ACK proxy flood SCREEN option:
[edit security screen]
user@host# show
ids-option ids-option-name {
tcp {
syn-ack-ack-proxy threshold number-of-connections
}
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-35
Network DoS—SYN Flood
The attack:
•SYN flood attack inundates a target network resource with
SYN segments containing forged or spoofed IP source
addresses with nonexistent or unreachable addresses
• Forces targets to respond with SYN/ACK and wait for responses
•Because destinations do not exist, sessions consume
memory resources until timing out
•When memory exhausts, no legitimate session can establish
The defense:
•Limit the number of SYN segments per second using
threshold-based SYN proxying
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-36
SYN Flood—SCREEN Options
SYN
SYN/ACK
? Data Server
SYN
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-37
Network DoS Attack Mitigation with the
Help of the SYN Cookie
SYN cookie advantages:
•Protects targeted hosts and Junos security device from
spoofed SYN flood attacks
•Ensures a valid SYN cookie response receipt prior to
allowing processing of a new TCP connection
•A SYN cookie is stateless; therefore, it does not require a
session, a policy, or a route lookup
SYN cookie details:
•Uses a cryptographic hash to generate a unique TCP ISN
•Generates a cookie from a local address, a foreign address,
and ports
•Sends one SYN-ACK back with the cookie as ISN
•Cryptographically verifies the received ACK based on the
cookie
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-39
SYN Cookie Handling
1 SYN
Session lookup: no session match
SYN cookie triggered Finance
Calculate ISN Server
Send SYN/ACK back to source
2 SYN/ACK
Host 3 ACK
Session lookup: no session match Session
SYN cookie validated
Data
Table
Process first packet Server
Create a session
Send SYN to server
4 SYN Accept
Connection
Send
5 SYN/ACK SYN/ACK
Send ACK to both ends
7 ACK 6 ACK
Connected
8 Data/ACK
9 ACK
Finance Server
UDP Floods
Data Server
Enable the ICMP SCREEN option: Enable the UDP SCREEN option:
[edit security screen] [edit security screen]
user@host# show user@host# show
ids-option ids-option-name { ids-option ids-option-name {
icmp { udp {
flood threshold value-packetsPerSec; flood threshold value-packetsPerSec;
} }
} }
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-42
Network DoS—LAND Attack
The attack:
•The attacker sends a combined attack—a SYN attack with IP
spoofing.
• This attack sends spoofed SYN packets containing the IP address
of the target as both the source and destination IP address
The defense:
•Combining elements of the SYN flood defense and IP
spoofing protection
• Results in the detection and blocking of malicious traffic
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-43
LAND Attack—SCREEN Option
Resources
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-44
PC-Based Operating System DoS Attacks
The attack:
•Ping of Death
•Teardrop
•WinNuke
The defense:
•Detect oversized and irregular ICMP packets
•Detect discrepancy in a fragmented packet and drop it
•Detect URG flag setting within a packet and unset it
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-45
PC-Based OS DoS—SCREEN Options
Mitigation of attacks:
•Ping of Death mitigation: •WinNuke mitigation:
Enable the Ping of Death SCREEN option: Enable the WinNuke SCREEN
[edit security screen]
lab@host# show
option:
[edit security screen]
ids-option ids-option-name {
lab@host# show
icmp {
ids-option ids-option-name {
ping-death;
tcp {
}
winnuke;
}
}
}
•Teardrop mitigation:
Enable the Teardrop SCREEN option:
[edit security screen]
user@host# show
ids-option ids-option-name {
ip {
tear-drop;
}
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-46
Agenda: SCREEN Options
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-47
ICMP Abnormalities
The attack:
•Use ICMP packets to attack hosts, networks, or both
•Once targets are defined, launch attacks
The defense:
•Detect fragmentation of an ICMP packet
•Block any fragmented ICMP packets
•Drop ICMP packets with a length > 1024 bytes
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-48
ICMP Abnormalities—SCREEN Option
Total packet
Version Header Type of service Total packet length value is >
1024 bytes
Identification 0 D M Fragment offset
Destination address
More
fragments
Protocol Options
flag is set
is ICMP
Payload
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-49
IP Packet Fragments and Bad IP Options
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-50
IP Packet Fragments and Bad IP Options—
SCREEN Option Fragment
offset value
Version Header Type of service Total packet length is nonzero
Destination address
Options IP options
incorrectly
formatted
Payload
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-51
Unknown Protocols
The attack:
•Abuse the protocol type field by setting it to 137 or greater
•Produce malicious packets
The defense:
•Detect and block packets with protocol ID set to 137 or
greater
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-52
Unknown Protocols—SCREEN Option
Version Header Type of service Total packet length
Options
Payload
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-53
SYN Fragments
The attack:
•Abuse the legitimacy of packet fragmentation
•Crash the system by producing malicious packets resulting
from IP packet reassembly
The defense:
•Detect and block TCP SYN fragmented packets
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-54
SYN Fragments—SCREEN Option
Version Header Type of service Total packet length Fragment
offset value
is nonzero
Identification D M Fragment offset
0
IP Header
Options
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-56
Configuration Syntax for SCREEN Options
Configuration steps:
•Step 1: Creating SCREEN options
security {
screen {
ids-option ids-option-name {
options;
options;
…
}
}
}
Private Public
Zone Zone
Host A
10.1.10.8 ge-0/0/3.100 ge-1/0/1.602
Internet
.2
10.1.10.5 EdgeR
Host B
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-58
Case Study:
Step 1—Creating the SCREEN Options
[edit]
Create SCREEN options user@host# show security
to offer protection from screen {
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-59
Case Study:
Step 2—Applying the SCREEN
[edit]
user@host# show security zones
...
security-zone Public {
address-book {
Apply the created address host1 2.2.2.1/32;
SCREEN option to the address host2 1.1.70.251/32;
public zone address-set Public-hosts {
address host1;
address host2;
}
}
screen Protector;
host-inbound-traffic {
system-services {
all;
telnet {
except;
}
}
...
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-60
Attack Monitoring (1 of 3)
user@host> show security screen statistics zone Public
Screen statistics:
Use the show IDS attack type Statistics
ICMP flood 0
security screen UDP flood
TCP winnuke
0
0
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-61
Attack Monitoring (2 of 3)
Use the show security screen ids-option
screen-name command
[edit]
user@host# show security user@host> show security screen ids-option Protector
screen { Screen object status:
ids-option Protector {
icmp { Name Value
fragment; ICMP flood threshold 500
large; ICMP fragmentation enabled
flood threshold 500; ICMP large packet enabled
} Session source limit threshold 50
limit-session { Session destination limit threshold 128
source-ip-based 50;
}
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-62
Attack Monitoring (3 of 3)
Log events into a traceoptions file:
[edit security]
user@host# show screen
traceoptions {
file {
filename;
files number-of-tracefiles;
no-world-readable | world-readable;
size maximum-size-of-tracefile;
match regular-expression-for-logged-info;
}
flag configuration | flow | all;
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-63
Summary
In this chapter we:
•Explained the meaning of SCREEN options
•Listed various types of attacks that SCREEN options can
detect and prevent
•Identified the advantages of using the Junos SCREEN
options
•Configured zone-based SCREEN options to block attacks
•Applied and monitored SCREEN operations
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-64
Review Questions
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-65
Lab 4: Implementing SCREEN Options
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-66
Worldwide Education Services