Configuring a rule for ip-option attack types – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual
Page 101
Brocade Virtual ADX Security Guide
89
53-1003250-01
DDoS protection
5
Configuring a rule for ip-option attack types
Brocade Virtual ADX has a set of built-in rules to manage ip-option attack types. In this case, the
rule command is used with a ip-option-attack variable specified in
.
The following example configures the "filter2" security filter with a rule to drop packets that are
associated with a ip-option record-route attack.
Virtual ADX(config)#security filter filter2
Virtual ADX(config-sec-filter2)#rule ip-option record-route drop
Syntax: [no] rule ip-option ip-option-attack [log | no-log] [drop | no-drop]
The ip-option-attack variable is specified as one of the options described in
address-sweep dest-ip
hold-down-interval
Attacker scans the network for information behind the Brocade Virtual ADX,
uncovering an address to target. For example, sending ping requests to
10.1.1.1 through 100. A reply from any device indicates a server exists.
Use address-sweep dest-ip hold-down-interval to log the number of different
addresses being accessed from one remote source. If the same client sends
a request to different IP addresses, then the Brocade Virtual ADX keeps track
of the number of IP address the client is trying to access. If the number
exceeds the configured dest-ip limit within a 5-second timer, then all the
packets from that client will start being dropped (reset) for the specified
hold-down-interval. The timer is internal to the Brocade Virtual ADX, and it
does not start when the client accesses the first IP address.
For example, consider the command address-sweep 2 8. A client can access
only a maximum of two IP addresses. As soon as it accesses the third IP
within a 5-second interval, the Brocade Virtual ADX will hold the client down
for 8 minutes. Accessing two IP addresses within 5 seconds is permissible in
this example.
Use security net-scan-mon-interval seconds to change the timer default (5
seconds).
port-scan dest-ip-or-port-pair
hold-down-interval
Attacker sends traffic using the same source IP to different ports on the same
destination IP, with the intent of identifying a service to target.
The Brocade Virtual ADX tracks the number of IP destination and port pairs.
For example, if a client accessed IP 1 and port 0, that counts as one
dest-ip-or-port-pair.
Use port-scan to internally log the number of different ports scanned from
one source. If the number exceeds a configured dest-ip-or-port-pair value (for
example, 10 ports in 5 seconds), the Brocade Virtual ADX will flag it as an
attack and reject all traffic from that source for the hold-down-interval.
The default internal timer value is 5 seconds. Use security
net-scan-mon-interval seconds to change the timer default.
xmas-tree
A Xmas tree attack is detected when a packet with the URG,PSH & FIN flags
set is detected.
icmp-type
Different types and subtypes of ICMP can be used to attack or to gain
knowledge about the host or network, which would then be used for an
attack. For example, ICMP timestamp (type 13) will elicit a timestamp reply
from Unix systems, but Microsoft Windows would not do so. A hacker can
then attack known vulnerabilities of the system.
Use icmp-type to configure an ICMP software rule to drop specific ICMP types
and subtypes.
TABLE 10
Rules for common attack types and descriptions (Continued)
Attack Type
Description