Management of logging and protection against network attacks

Management of protection against network attacks

ip firewall screen dos-defense icmp-threshold

This command enables the protection against ICMP flood attacks. When the protection is enabled, the amount of all types ICMP packets per second for one destination address is limited.

The use of a negative form (no) of the command disables ICMP flood protection.

Syntax

ip firewall screen dos-defense icmp-threshold { <NUM> }

no ip firewall screen dos-defense icmp-threshold

Parameters

<NUM> – amount of ICMP packets per second, set in the range of [1..10000]

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen dos-defense icmp-threshold 2000

CODE

ip firewall screen dos-defense land

This command enables the protection against land attacks. When the protection is enabled, the packets with the same source and destination IP addresses and with SYN flag in TCP header are blocked.

The use of a negative form (no) of the command disables land attacks protection.

Syntax

[no] ip firewall screen dos-defense land

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen dos-defense land

CODE

ip firewall screen dos-defense limit-session-destination

When the host IP sessions table is overfilled, the host is unable to establish new sessions and it drops the requests (this may happen during various DoS attacks: SYN flood, UDP flood, ICMP flood, etc.). The command enables limiting the number of packets transmitted per second per destination address, which attenuates DoS attacks.

The use of a negative form (no) of the command removes the restriction.

Syntax

ip firewall screen dos-defense limit-session-destination { <NUM> }

no ip firewall screen dos-defense limit-session-destination

Parameters

<NUM> – limit number of ip packets per second, set in the range of [1..10000].

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen dos-defense limit-session-destination 1000

CODE

ip firewall screen dos-defense limit-session-source

When the host IP sessions table is overfilled, the host is unable to establish new sessions and it drops the requests (this may happen during various DoS attacks: SYN flood, UDP flood, ICMP flood, etc.). The command enables limiting the number of packets transmitted per second per source address, which attenuates DoS attacks.

The use of a negative form (no) of the command removes the restriction.

Syntax

ip firewall screen dos-defense limit-session-source { <NUM> }

no ip firewall screen dos-defense limit-session-source

Parameters

<NUM> – limit number of ip packets per second, set in the range of [1..10000].

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen dos-defense limit-session-source 1000

CODE

ip firewall screen dos-defense syn-flood

This command enables the protection against SYN flood attacks. When the protection is enabled, the amount of TCP packets with the SYN flag set per second for one destination address is limited.

The use of a negative form (no) of the command disables ICMP SYN protection.

Syntax

ip firewall screen dos-defense syn-flood { <NUM> } [src-dst]

no ip firewall screen dos-defense syn-flood

Parameters

<NUM> – maximum amount of TCP packets with the set SYN flag per second, set in the range of [1..10000].

src-dst – limitation on the amount of TCP packets with the SYN flag set, based on the source and destination addresses.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen dos-defense syn-flood 100 src-dsr

CODE

ip firewall screen dos-defense udp-threshold

This command enables the protection against UDP flood attacks. When the protection is enabled, the amount of UDP packets per second for one destination address is limited.

The use of a negative form (no) of the command disables UDP flood protection.

Syntax

ip firewall screen dos-defense udp-threshold { <NUM> }

no ip firewall screen dos-defense udp-threshold

Parameters

<NUM> – maximum amount of UDP packets per second, set in the range of [1..10000].

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen dos-defense udp-threshold

CODE

ip firewall screen dos-defense winnuke

This command enables the protection against winnuke attacks. When the protection is enabled, TCP packets with the URG flag set and 139 destination port are blocked.

The use of a negative form (no) of the command disables winnuke attacks protection.

Syntax

[no] ip firewall screen dos-defense winnuke

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen dos-defense winnuke

CODE

ip firewall screen spy-blocking fin-no-ack

This command enables the blocking of TCP packets with the FIN flag set and the ACK flag not set.

The use of a negative form (no) of the command disables the blocking of TCP packets with the FIN flag set and the ACK flag not set.

Syntax

[no] ip firewall screen spy-blocking fin-no-ack

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen spy-blocking fin-no-ack

CODE

ip firewall screen spy-blocking icmp-type destination-unreachable

This command enables the blocking of all 3 type ICMP packets (destination-unreachable) including the packets generated by the router itself.

The use of a negative form of the command (no) disables blocking of ICMP packets of type 3.

Syntax

[no] ip firewall screen spy-blocking icmp-type destination-unreachable

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen spy-blocking icmp-type destination-unreachable

CODE

ip firewall screen spy-blocking icmp-type echo-request

This command enables the blocking of all 8 type ICMP packets (echo-request) including the packets generated by the router itself.

The use of a negative form of the command (no) disables blocking of ICMP packets of type 8.

Syntax

[no] ip firewall screen spy-blocking icmp-type echo-request

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen spy-blocking icmp-type echo-request

CODE

ip firewall screen spy-blocking icmp-type reserved

This command enables the blocking of all 2 and 7 type ICMP packets (reserved) including the packets generated by the router itself.

The use of a negative form of the command (no) disables blocking of ICMP packets of type 2 and 7.

Syntax

[no] ip firewall screen spy-blocking icmp-type reserved

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen spy-blocking icmp-type reserved

CODE

ip firewall screen spy-blocking icmp-type source-quench

This command enables the blocking of all 4 type ICMP packets (source quench) including the packets generated by the router itself.

The use of a negative form of the command (no) disables blocking of ICMP packets of type 4.

Syntax

[no] ip firewall screen spy-blocking icmp-type source-quench

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen spy-blocking icmp-type source-quench

CODE

ip firewall screen spy-blocking icmp-type time-exceeded

This command enables the blocking of all 11 type ICMP packets (time exceeded) including the packets generated by the router itself.

The use of a negative form of the command (no) disables blocking of ICMP packets of type 11.

Syntax

[no] ip firewall screen spy-blocking icmp-type time-exceeded

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen spy-blocking icmp-type time-exceeded

CODE

ip firewall screen spy-blocking ip-sweep

This command enables the protection against IP-sweep attacks. When the protection is enabled, if more than 10 ICMP requests from one source arrive within the specified interval, the first 10 requests are dropped by the router and 11th with the following ones are discarded for the remaining interval time.

The use of a negative form (no) of the command disables ip-sweep protection.

Syntax

ip firewall screen spy-blocking ip-sweep <THRESHOLD> [ <TIME> ]

no ip firewall screen spy-blocking ip-sweep

Parameters

<THRESHOLD> – number of ip sweep attack packets per second, set in the range [1..10000].

<TIME> – blocking time in milliseconds [1..1000000].

Default value

Disabled.

Without specifying a blocking time when turning on, the value is set to 10000.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen spy-blocking ip-sweep 1000

CODE

ip firewall screen spy-blocking port-scan

This command enables the protection against port scan attacks. If more than 10 TCP packets with the SYN flag arrive to several TCP ports and or more than 10 UDP packets arrive ti several UDP ports of one source within the first specified interval (<threshold>), then this behaviour is recorded as port scan attack and all the following packets of that type are blocked for the second specified time interval (<TIME>).

The use of a negative form (no) of the command disables protection from port scan attacks.

Syntax

ip firewall screen spy-blocking port-scan <THRESHOLD> [ <TIME> ]

no ip firewall screen spy-blocking port-scan

Parameters

<THRESHOLD> – number of port scan attack packets per second, set in the range [1..10000].

<TIME> – blocking time in milliseconds [1..1000000].

Default value

Disabled.

Without specifying a blocking time when turning on, the value is set to 10000.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen spy-blocking port-scan 100 1000

CODE

ip firewall screen spy-blocking spoofing

This command enables the protection against ip spoofing attacks. When the protection is enabled, the router checks packets for matching the source address and routing table entries, and in case of mismatch the packet is dropped. For example, if a packet with source address 10.0.0.1/24 arrives to the Gi1/0/1 interface and the given subnet is located after the Gi1/0/2 interface in the routing table, it is considered that the source address has been replaced.

The use of a negative form (no) of the command disables ip spoofing protection.

Syntax

[no] ip firewall screen spy-blocking spoofing

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen spy-blocking spoofing

CODE

ip firewall screen spy-blocking syn-fin

This command enables the blocking of TCP packets, with the SYN and FIN flags set.

The use of a negative form (no) of the command disables the blocking of TCP packets, with the SYN and FIN flags set.

Syntax

[no] ip firewall screen spy-blocking syn-fin

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen spy-blocking syn-fin

CODE

ip firewall screen spy-blocking tcp-all-flags

This command enables the blocking of TCP packets, with all flags or with the set of flags: FIN, PSH, URG. The protection against XMAS attack is provided.

The use of a negative for of the command disables the blocking of TCP packets, with all flags or with the set of flags: FIN,PSH,URG.

Syntax

[no] ip firewall screen spy-blocking tcp-all-flag

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# ip firewall screen spy-blocking tcp-all-flag

CODE

ip firewall screen spy-blocking tcp-no-flag

This command enables the blocking of TCP packets with the zero 'flags' field.

The use of a negative form (no) of the command disables the blocking of TCP packets with the zero 'flags' field.

Syntax

[no] ip firewall screen spy-blocking tcp-no-flag

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen spy-blocking tcp-no-flag

CODE

ip firewall screen suspicious-packets icmp-fragment

This command enables the blocking of fragmented ICMP packets.

The use of a negative form (no) of the command disables the blocking of fragmented ICMP packets.

Syntax

[no] ip firewall screen suspicious-packets icmp-fragment

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# ip firewall screen suspicious-packets icmp-fragment

CODE

ip firewall screen suspicious-packets ip-fragment

This command enables the blocking of fragmented IP packets.

The use of a negative form (no) of the command disables the blocking of fragmented IP packets.

Syntax

[no] ip firewall screen suspicious-packets ip-fragment

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen suspicious-packets ip-fragment

CODE

ip firewall screen suspicious-packets large-icmp

This command enables the blocking of ICMP packets more than 1024 bytes.

The use of a negative form of the command (no) disables blocking of ICMP packets more than 1024 bytes.

Syntax

[no] ip firewall screen suspicious-packets large-icmp

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen suspicious-packets large-icmp

CODE

ip firewall screen suspicious-packets syn-fragment

This command enables the blocking of fragmented TCP packets with the SYN flag.

The use of a negative form (no) of the command disables the blocking of TCP packets with the SYN flag.

Syntax

[no] ip firewall screen suspicious-packets syn-fragment

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen suspicious-packets syn-fragment

CODE

ip firewall screen suspicious-packets udp-fragment

This command enables the blocking of fragmented UDP packets.

The use of a negative form (no) of the command disables blocking of fragmented UDP packets.

Syntax

[no] ip firewall screen suspicious-packets udp-fragment

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen suspicious-packets udp-fragment

CODE

ip firewall screen suspicious-packets unknown-protocols

This command enables the blocking of packets, with the protocol ID contained in IP header equal to 137 and more.

The use of a negative form (no) of the command disables the blocking of packets, with the protocol ID contained in IP header equal to 137 and more.

Syntax

[no] ip firewall screen suspicious-packets unknown-protocols

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall screen suspicious-packets unknown-protocols

CODE

Management of network attacks notification

ip firewall logging interval

Set the frequency of notification (via SNMP, syslog and in CLI) of detected and blocked network attacks When an attack is detected, a message is logged instantly, but the following alerts about this particular attack will be logged after a specified time interval, if the attack is continuous.

The use of a negative form (no) of the command returns the timer to the default value.

Syntax

ip firewall logging interval <NUM>

no ip firewall logging interval

Parameters

<NUM> – time interval in seconds [30 .. 2147483647]

Default value

30

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# ip firewall logging interval 60

CODE

logging firewall screen detailed

attacks in the CLI.

In addition to the name of the interface from which the packet came, the detailed output shows the source IP address and the destination IP address of the packet, as well as the MAC address of the source that sent the packet.

The use of a negative form (no) of the command disables detailed message output.

Syntax

[no] logging firewall screen detailed

Parameters

None.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# logging firewall screen detailed

CODE

logging firewall screen dos-defense

This command enables the mechanism of DoS attacks detection and logging via CLI, syslog and SNMP. In conjunction with the included protection against attacks, an alert will be generated about the reflected DoS attacks.

The use of a negative form (no) of the command disables the mechanism of detection and logging of detected and reflected DoS attacks.

Syntax

[no] logging firewall screen dos-defense <ATACK_TYPE>

Parameters

<ATACK_TYPE> – DoS attack type, takes the following values:

icmp-threshold;
land;
limit-session-destination;
limit-session-source;
syn-flood;
udp-threshold;
winnuke.

For a detailed description of DoS attacks, see Managing protection against network attacks.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# logging firewall screen dos-defense land

CODE

logging firewall screen spy-blocking

This command enables the mechanism of spyware activity detection and logging via CLI, syslog and SNMP. In conjunction with the anti-spyware protection enabled, an alert will be issued about blocked spyware activity.

The use of a negative form (no) of the command disables the mechanism of detection and logging of detected and reflected spyware activity.

Syntax

[no] logging firewall screen spy-blocking { <ATACK_TYPE> | icmp-type <ICMP_TYPE> }

Parameters

<ATACK_TYPE> – espionage activity type, takes the following values:

fin-no-ack;
ip-sweep;
port-scan;
spoofing;
syn-fin;
tcp-all-flag;
tcp-no-flag.

<ICMP_TYPE> – icmp type, takes values:

destination-unreachable;
echo-request;
reserved;
source-quench;
time-exceeded.

For a detailed description of spy activities, see Managing protection against network attacks.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# logging firewall screen spy-blocking icmp-type echo-request

CODE

logging firewall screen suspicious-packets

This command enables the mechanism of non-standard packets detection and logging via CLI, syslog and SNMP. In conjunction with the included protection against non-standard packets, a notification will also be issued about blocking non-standard packets.

The use of a negative form (no) of the command disables the mechanism of detection and logging of detected and blocked non-standard packets.

Syntax

[no] logging firewall screen suspicious-packets <PACKET_TYPE>

Parameters

<PACKET_TYPE> – specialized packets type, takes the following values:

icmp-fragment;
ip-fragment;
large-icmp;
syn-fragment;
udp-fragment;
unknown-protocols.

For a detailed description of protection against non-standard packets, see Managing protection against network attacks.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# logging firewall screen suspicious-packets icmp-fragment

CODE

show ip firewall screens counters

This command allows you to view statistics on detected network attacks.

Syntax

show ip firewall screens counters

Parameters

The command does not contain parameters.

Required privilege level

10

Command mode

ROOT

Example

esr# show ip firewall screens counters 
DDoS:
    Destination limit screen:  --
    Source limit screen:       --
    ICMP threshold screen:     1
    UDP threshold screen:      --
    SYN flood screen:          0
    Land attack screen:        1
    Winnuke attack screen:     --
Suspicious packets:
    ICMP fragmented screen:    --
    UDP fragmented screen:     --
    Large ICMP screen:         4
    Fragmented SYN screen:     --
    Unknown protocol screen:   --
    Fragmented IP screen:      --
Spying:
    Port scanning screen:      --
    IP sweep secreen:          --
    SYN-FIN screen:            --
    TCP all flags screen:      --
    FIN no ACK screen:         --
    TCP no flags screen:       --
    Spoofing screen:           --
ICMP types:
    ICMP reserved screen:      --
    ICMP quench screen:        --
    ICMP echo request screen:  --
    ICMP time exceeded screen: --
    ICMP unreachable screen:   --

CODE