Management of logging and protection against network attacks
Management of protection against network attacks
ip firewall screen dos-defense icmp-threshold
This command enables the protection against ICMP flood attacks. When the protection is enabled, the amount of all types ICMP packets per second for one destination address is limited.
The use of a negative form (no) of the command disables ICMP flood protection.
Syntax
ip firewall screen dos-defense icmp-threshold { <NUM> }
no ip firewall screen dos-defense icmp-threshold
Parameters
<NUM> – amount of ICMP packets per second, set in the range of [1..10000]
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen dos-defense icmp-threshold 2000
ip firewall screen dos-defense land
This command enables the protection against land attacks. When the protection is enabled, the packets with the same source and destination IP addresses and with SYN flag in TCP header are blocked.
The use of a negative form (no) of the command disables land attacks protection.
Syntax
[no] ip firewall screen dos-defense land
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen dos-defense land
ip firewall screen dos-defense limit-session-destination
When the host IP sessions table is overfilled, the host is unable to establish new sessions and it drops the requests (this may happen during various DoS attacks: SYN flood, UDP flood, ICMP flood, etc.). The command enables limiting the number of packets transmitted per second per destination address, which attenuates DoS attacks.
The use of a negative form (no) of the command removes the restriction.
Syntax
ip firewall screen dos-defense limit-session-destination { <NUM> }
no ip firewall screen dos-defense limit-session-destination
Parameters
<NUM> – limit number of ip packets per second, set in the range of [1..10000].
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen dos-defense limit-session-destination 1000
ip firewall screen dos-defense limit-session-source
When the host IP sessions table is overfilled, the host is unable to establish new sessions and it drops the requests (this may happen during various DoS attacks: SYN flood, UDP flood, ICMP flood, etc.). The command enables limiting the number of packets transmitted per second per source address, which attenuates DoS attacks.
The use of a negative form (no) of the command removes the restriction.
Syntax
ip firewall screen dos-defense limit-session-source { <NUM> }
no ip firewall screen dos-defense limit-session-source
Parameters
<NUM> – limit number of ip packets per second, set in the range of [1..10000].
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen dos-defense limit-session-source 1000
ip firewall screen dos-defense syn-flood
This command enables the protection against SYN flood attacks. When the protection is enabled, the amount of TCP packets with the SYN flag set per second for one destination address is limited.
The use of a negative form (no) of the command disables ICMP SYN protection.
Syntax
ip firewall screen dos-defense syn-flood { <NUM> } [src-dst]
no ip firewall screen dos-defense syn-flood
Parameters
<NUM> – maximum amount of TCP packets with the set SYN flag per second, set in the range of [1..10000].
src-dst – limitation on the amount of TCP packets with the SYN flag set, based on the source and destination addresses.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen dos-defense syn-flood 100 src-dsr
ip firewall screen dos-defense udp-threshold
This command enables the protection against UDP flood attacks. When the protection is enabled, the amount of UDP packets per second for one destination address is limited.
The use of a negative form (no) of the command disables UDP flood protection.
Syntax
ip firewall screen dos-defense udp-threshold { <NUM> }
no ip firewall screen dos-defense udp-threshold
Parameters
<NUM> – maximum amount of UDP packets per second, set in the range of [1..10000].
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen dos-defense udp-threshold
ip firewall screen dos-defense winnuke
This command enables the protection against winnuke attacks. When the protection is enabled, TCP packets with the URG flag set and 139 destination port are blocked.
The use of a negative form (no) of the command disables winnuke attacks protection.
Syntax
[no] ip firewall screen dos-defense winnuke
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen dos-defense winnuke
ip firewall screen spy-blocking fin-no-ack
This command enables the blocking of TCP packets with the FIN flag set and the ACK flag not set.
The use of a negative form (no) of the command disables the blocking of TCP packets with the FIN flag set and the ACK flag not set.
Syntax
[no] ip firewall screen spy-blocking fin-no-ack
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen spy-blocking fin-no-ack
ip firewall screen spy-blocking icmp-type destination-unreachable
This command enables the blocking of all 3 type ICMP packets (destination-unreachable) including the packets generated by the router itself.
The use of a negative form of the command (no) disables blocking of ICMP packets of type 3.
Syntax
[no] ip firewall screen spy-blocking icmp-type destination-unreachable
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen spy-blocking icmp-type destination-unreachable
ip firewall screen spy-blocking icmp-type echo-request
This command enables the blocking of all 8 type ICMP packets (echo-request) including the packets generated by the router itself.
The use of a negative form of the command (no) disables blocking of ICMP packets of type 8.
Syntax
[no] ip firewall screen spy-blocking icmp-type echo-request
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen spy-blocking icmp-type echo-request
ip firewall screen spy-blocking icmp-type reserved
This command enables the blocking of all 2 and 7 type ICMP packets (reserved) including the packets generated by the router itself.
The use of a negative form of the command (no) disables blocking of ICMP packets of type 2 and 7.
Syntax
[no] ip firewall screen spy-blocking icmp-type reserved
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen spy-blocking icmp-type reserved
ip firewall screen spy-blocking icmp-type source-quench
This command enables the blocking of all 4 type ICMP packets (source quench) including the packets generated by the router itself.
The use of a negative form of the command (no) disables blocking of ICMP packets of type 4.
Syntax
[no] ip firewall screen spy-blocking icmp-type source-quench
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen spy-blocking icmp-type source-quench
ip firewall screen spy-blocking icmp-type time-exceeded
This command enables the blocking of all 11 type ICMP packets (time exceeded) including the packets generated by the router itself.
The use of a negative form of the command (no) disables blocking of ICMP packets of type 11.
Syntax
[no] ip firewall screen spy-blocking icmp-type time-exceeded
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen spy-blocking icmp-type time-exceeded
ip firewall screen spy-blocking ip-sweep
This command enables the protection against IP-sweep attacks. When the protection is enabled, if more than 10 ICMP requests from one source arrive within the specified interval, the first 10 requests are dropped by the router and 11th with the following ones are discarded for the remaining interval time.
The use of a negative form (no) of the command disables ip-sweep protection.
Syntax
ip firewall screen spy-blocking ip-sweep <THRESHOLD> [ <TIME> ]
no ip firewall screen spy-blocking ip-sweep
Parameters
<THRESHOLD> – number of ip sweep attack packets per second, set in the range [1..10000].
<TIME> – blocking time in milliseconds [1..1000000].
Default value
Disabled.
Without specifying a blocking time when turning on, the value is set to 10000.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen spy-blocking ip-sweep 1000
ip firewall screen spy-blocking port-scan
This command enables the protection against port scan attacks. If more than 10 TCP packets with the SYN flag arrive to several TCP ports and or more than 10 UDP packets arrive ti several UDP ports of one source within the first specified interval (<threshold>), then this behaviour is recorded as port scan attack and all the following packets of that type are blocked for the second specified time interval (<TIME>).
The use of a negative form (no) of the command disables protection from port scan attacks.
Syntax
ip firewall screen spy-blocking port-scan <THRESHOLD> [ <TIME> ]
no ip firewall screen spy-blocking port-scan
Parameters
<THRESHOLD> – number of port scan attack packets per second, set in the range [1..10000].
<TIME> – blocking time in milliseconds [1..1000000].
Default value
Disabled.
Without specifying a blocking time when turning on, the value is set to 10000.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen spy-blocking port-scan 100 1000
ip firewall screen spy-blocking spoofing
This command enables the protection against ip spoofing attacks. When the protection is enabled, the router checks packets for matching the source address and routing table entries, and in case of mismatch the packet is dropped. For example, if a packet with source address 10.0.0.1/24 arrives to the Gi1/0/1 interface and the given subnet is located after the Gi1/0/2 interface in the routing table, it is considered that the source address has been replaced.
The use of a negative form (no) of the command disables ip spoofing protection.
Syntax
[no] ip firewall screen spy-blocking spoofing
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen spy-blocking spoofing
ip firewall screen spy-blocking syn-fin
This command enables the blocking of TCP packets, with the SYN and FIN flags set.
The use of a negative form (no) of the command disables the blocking of TCP packets, with the SYN and FIN flags set.
Syntax
[no] ip firewall screen spy-blocking syn-fin
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen spy-blocking syn-fin
ip firewall screen spy-blocking tcp-all-flags
This command enables the blocking of TCP packets, with all flags or with the set of flags: FIN, PSH, URG. The protection against XMAS attack is provided.
The use of a negative for of the command disables the blocking of TCP packets, with all flags or with the set of flags: FIN,PSH,URG.
Syntax
[no] ip firewall screen spy-blocking tcp-all-flag
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# ip firewall screen spy-blocking tcp-all-flag
ip firewall screen spy-blocking tcp-no-flag
This command enables the blocking of TCP packets with the zero 'flags' field.
The use of a negative form (no) of the command disables the blocking of TCP packets with the zero 'flags' field.
Syntax
[no] ip firewall screen spy-blocking tcp-no-flag
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen spy-blocking tcp-no-flag
ip firewall screen suspicious-packets icmp-fragment
This command enables the blocking of fragmented ICMP packets.
The use of a negative form (no) of the command disables the blocking of fragmented ICMP packets.
Syntax
[no] ip firewall screen suspicious-packets icmp-fragment
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# ip firewall screen suspicious-packets icmp-fragment
ip firewall screen suspicious-packets ip-fragment
This command enables the blocking of fragmented IP packets.
The use of a negative form (no) of the command disables the blocking of fragmented IP packets.
Syntax
[no] ip firewall screen suspicious-packets ip-fragment
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen suspicious-packets ip-fragment
ip firewall screen suspicious-packets large-icmp
This command enables the blocking of ICMP packets more than 1024 bytes.
The use of a negative form of the command (no) disables blocking of ICMP packets more than 1024 bytes.
Syntax
[no] ip firewall screen suspicious-packets large-icmp
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen suspicious-packets large-icmp
ip firewall screen suspicious-packets syn-fragment
This command enables the blocking of fragmented TCP packets with the SYN flag.
The use of a negative form (no) of the command disables the blocking of TCP packets with the SYN flag.
Syntax
[no] ip firewall screen suspicious-packets syn-fragment
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen suspicious-packets syn-fragment
ip firewall screen suspicious-packets udp-fragment
This command enables the blocking of fragmented UDP packets.
The use of a negative form (no) of the command disables blocking of fragmented UDP packets.
Syntax
[no] ip firewall screen suspicious-packets udp-fragment
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen suspicious-packets udp-fragment
ip firewall screen suspicious-packets unknown-protocols
This command enables the blocking of packets, with the protocol ID contained in IP header equal to 137 and more.
The use of a negative form (no) of the command disables the blocking of packets, with the protocol ID contained in IP header equal to 137 and more.
Syntax
[no] ip firewall screen suspicious-packets unknown-protocols
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall screen suspicious-packets unknown-protocols
Management of network attacks notification
ip firewall logging interval
Set the frequency of notification (via SNMP, syslog and in CLI) of detected and blocked network attacks When an attack is detected, a message is logged instantly, but the following alerts about this particular attack will be logged after a specified time interval, if the attack is continuous.
The use of a negative form (no) of the command returns the timer to the default value.
Syntax
ip firewall logging interval <NUM>
no ip firewall logging interval
Parameters
<NUM> – time interval in seconds [30 .. 2147483647]
Default value
30
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall logging interval 60
logging firewall screen detailed
attacks in the CLI.
In addition to the name of the interface from which the packet came, the detailed output shows the source IP address and the destination IP address of the packet, as well as the MAC address of the source that sent the packet.
The use of a negative form (no) of the command disables detailed message output.
Syntax
[no] logging firewall screen detailed
Parameters
None.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# logging firewall screen detailed
logging firewall screen dos-defense
This command enables the mechanism of DoS attacks detection and logging via CLI, syslog and SNMP. In conjunction with the included protection against attacks, an alert will be generated about the reflected DoS attacks.
The use of a negative form (no) of the command disables the mechanism of detection and logging of detected and reflected DoS attacks.
Syntax
[no] logging firewall screen dos-defense <ATACK_TYPE>
Parameters
<ATACK_TYPE> – DoS attack type, takes the following values:
- icmp-threshold;
- land;
- limit-session-destination;
- limit-session-source;
- syn-flood;
- udp-threshold;
- winnuke.
For a detailed description of DoS attacks, see Managing protection against network attacks.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# logging firewall screen dos-defense land
logging firewall screen spy-blocking
This command enables the mechanism of spyware activity detection and logging via CLI, syslog and SNMP. In conjunction with the anti-spyware protection enabled, an alert will be issued about blocked spyware activity.
The use of a negative form (no) of the command disables the mechanism of detection and logging of detected and reflected spyware activity.
Syntax
[no] logging firewall screen spy-blocking { <ATACK_TYPE> | icmp-type <ICMP_TYPE> }
Parameters
<ATACK_TYPE> – espionage activity type, takes the following values:
- fin-no-ack;
- ip-sweep;
- port-scan;
- spoofing;
- syn-fin;
- tcp-all-flag;
- tcp-no-flag.
<ICMP_TYPE> – icmp type, takes values:
- destination-unreachable;
- echo-request;
- reserved;
- source-quench;
- time-exceeded.
For a detailed description of spy activities, see Managing protection against network attacks.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# logging firewall screen spy-blocking icmp-type echo-request
logging firewall screen suspicious-packets
This command enables the mechanism of non-standard packets detection and logging via CLI, syslog and SNMP. In conjunction with the included protection against non-standard packets, a notification will also be issued about blocking non-standard packets.
The use of a negative form (no) of the command disables the mechanism of detection and logging of detected and blocked non-standard packets.
Syntax
[no] logging firewall screen suspicious-packets <PACKET_TYPE>
Parameters
<PACKET_TYPE> – specialized packets type, takes the following values:
- icmp-fragment;
- ip-fragment;
- large-icmp;
- syn-fragment;
- udp-fragment;
- unknown-protocols.
For a detailed description of protection against non-standard packets, see Managing protection against network attacks.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# logging firewall screen suspicious-packets icmp-fragment
show ip firewall screens counters
This command allows you to view statistics on detected network attacks.
Syntax
show ip firewall screens counters
Parameters
The command does not contain parameters.
Required privilege level
10
Command mode
ROOT
Example
esr# show ip firewall screens counters
DDoS:
Destination limit screen: --
Source limit screen: --
ICMP threshold screen: 1
UDP threshold screen: --
SYN flood screen: 0
Land attack screen: 1
Winnuke attack screen: --
Suspicious packets:
ICMP fragmented screen: --
UDP fragmented screen: --
Large ICMP screen: 4
Fragmented SYN screen: --
Unknown protocol screen: --
Fragmented IP screen: --
Spying:
Port scanning screen: --
IP sweep secreen: --
SYN-FIN screen: --
TCP all flags screen: --
FIN no ACK screen: --
TCP no flags screen: --
Spoofing screen: --
ICMP types:
ICMP reserved screen: --
ICMP quench screen: --
ICMP echo request screen: --
ICMP time exceeded screen: --
ICMP unreachable screen: --