Shulou(Shulou.com)06/01 Report--

Juniper DOS classification

1. Network dos

1.SYN flooding

Cheating with a three-way handshake

A sends SYN fragments to B, B responds with SYN/ACK fragments, and A responds with ACK fragments.

The source ip in the SYN fragment sent by this kind of An is an unreachable address, so the response sent by B will time out

This creates a SYN flood, which fills up the host memory buffer and the host will not be able to handle the new

Tcp connection request, causing the system failure to work properly.

Enable syn flood protection

Set zone zone screen syn-flood

Number of syn clips sent per second (limited according to actual situation)

Set zone zone screen syn-flood attack-threshold number

An alarm is triggered when the Nth connection request is sent per second

Set zone zone screen syn-flood alarm-theshold number

Sets the number of syn fragments accepted from a single source ip per second

Set zone zone screen syn-flood source-threshold number

Number of SYN fragments received from a single destination ip address per second

Set zone zone screen syn-flood destination-threshold number

Sets the maximum time before half of the connections in the discard queue are completed.

Set zone zone screen syn-flood timeout number

The number of proxy connection requests for the proxy connection queue before the security device starts a new connection

Set zone zone screen syn-flood queue-size number

If the specified destination mac address is not in the security setting mac or knowledge table, the syn packet will be discarded. (transparent mode is not supported.

This feature)

Set zone zone screen syn-flood drop-unknown-mac

2.ICMP flooding

Is to use a large amount of icmp every second, so that the victim uses up all the resources to respond. Make it impossible to deal with

The connection handling of.

Icmp flooding protection

Set zone zone screen icmp-flood threshold number

Set zone zone screen icmp-flood

3.UDP flooding

A large number of ip packets containing UDP datagrams are sent, resulting in the victim being unable to process valid connections.

Udp flooding protection

Set zone zone screen udp-flood threshold number

Set zone zone screen udp-flood

4. Land * *

By combining syn*** and ip spoofing, the victim sends a deceptive message containing the victim's ip address.

The SYN packet, which is used as the destination and source ip address, occurs on land. The victim sends it to himself.

The SYN-ACK packet responds while creating an empty connection that will remain until the space is reached

Until the timeout value. Excessive accumulation of such empty connections can deplete system resources and result in a denial of any service.

Land protection

Set zone zone screen land

II. DOS*** related to the operating system

1.ping of death death ping

The maximum ip packet is 65535 bytes.

Normal icmp data packets include:

Ip header: 20 bytes, icmp header: 8 bytes, icmp data: up to 65507 bytes

* data packets:

Ip header: 20 bytes, icmp header: 8 bytes, icmp data: 65510 bytes

65510 exceeds the normal 65507 bytes and will break down into many fragments when transmitting the packet, and the reorganization process may

Causing the receiving system to crash.

Turn on death ping protection:

Set zone zone screen ping-death

2.Teardrop teardrop *

Teardrop * takes advantage of the reassembly of ip packet fragments. In the ip header, fragment the fields in a fragment

Offset. When the receiver encapsulates the packet, when the sum of the offset and size of one fragment is different from that of the next packet fragment

When the packets overlap and the receiver tries to reassemble the packets, it will cause the system to crash, especially when the old system does not

This is especially true if there is a system with this patch.

Example:

First packet:

Offset: 0 ip header: 20 data: 800 length 820 more fragments: 1

Second packet:

Offset: 800 ip header: 20 data: 600 length 620 more fragments: 0

The start position of the second packet fragment 800 is 20 bytes earlier than the end position of the first fragment. Fragment 2 and

The packet length of fragment 1 is inconsistent. This difference causes some systems to crash when they try to reorganize.

Enable teardrop teardrop protection

Set zone zone screen tear-drop

3.WinNuke

Dos*** for windows computers. Send the tcp fragment to the emergency URG flag set

NetBIOS port 139 has a host with a viable connection. This creates an overlap of NetBIOS fragments, resulting in

The machine running windows crashed.

Enable WinNuke Guard

Set zone zone screen winnuke

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.