Configuring a rule for ip-option attack types – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual
Page 143

ServerIron ADX Security Guide
129
53-1002440-03
DDoS protection
5
Configuring a rule for ip-option attack types
ServerIron ADX has a set of built-in rules to manage ip-option attack types. In this case, the rule
command is used with a
The following example configures the "filter2" security filter with a rule to drop packets that are
associated with a ip-option record-route attack.
ServerIronADX(config)# security filter filter2
ServerIronADX(config-sec-filter2)#rule ip-option record-route drop
Syntax: [no] rule ip-option
The
The log parameter directs the ServerIron ADX to log traffic on the bound interface that matches the
rule specified by the configured
function.
The drop parameter directs the ServerIron ADX to drop traffic on the bound interface that matches
the rule specified by the configured
function
TABLE 14
ip-option attack types and descriptions
Attack Type
Description
ip-option record-route
The record-route option records the path of the packet, which an attacker
can analyze to learn details about a network’s addressing scheme and
topology.
Use ip-option record-route to drop packets with IP option 7 (record route) set.
ip-option strict-source-route
The strict-source option provides a means for the source of a packet to
supply routing information to the gateways forwarding the packet to the
destination, and to record the route information.
With this option, an attacker can gain knowledge on the network’s
addressing scheme.
Use ip-option strict-source-route to drop packets having IP option 9 (strict
source routing).
ip-option loose-source-route
The loose-source option provides a means for the source of the packet to
supply routing information to be used by the gateways in forwarding the
packet to the destination.
This option is different from strict-source route because gateway or host IP is
allowed to use any route of any number of other intermediate gateways to
reach the next address in the route. With this option, an attacker can gain
knowledge on the network’s addressing scheme.
Use ip-option loose-source-route to drop packets that have IP option 3 (loose
source routing).
ip-option timestamp
Use ip-option timestamp to drop packets where IP option list includes option
4 (Internet timestamp).
ip-option stream-id
The stream-ID option provides a way for the 16-bit SATNET stream identifier
to be carried through networks that do not support the stream concept.
Use ip-option stream-id to drop packets where the IP option is 8 (stream ID).