netscreen 攻擊防禦命令介紹 |
簡單介紹一下screen配置命令,主要通過對協議的合法性、網絡訪問行為的規範性(行為分析)來判斷是否存在攻擊行為。 記得在web頁面上不要選中第一個選項:log without drop • alarm-without-drop Generates an alarm when detecting an attack, but does not block the attack. This option is useful if you allow the attack to enter a segment of your network that you have previously prepared to receive it—such as a honeynet蜜罐, which is essentially a decoy network with extensive monitoring capabilities. 檢測到攻擊時產生告警記錄但並不阻止包的轉發。啟用該選項將佔用一定的設備資源,具體資源佔用取決於網絡流量和攻擊類型。該選項主要應用於網絡流量識別、網絡應用的baseline統計、測試等情況下,在網絡應用和網絡安全部署測試完成後,取消該配置選項。 • block-frag Enables IP packet fragmentation blocking. 阻 斷IP碎片包的轉發,不向源端發送拒絕信息,對於正常的IP分片包也會被阻斷。IP碎片攻擊易導致系統崩潰或拒絕服務(一些系統無法處理碎片包總長度超過 65535),如果分片之間偏移量經過精心構造,一些系統因無法處理而導致系統死機,漏洞的起因來自於重組的算法上。解決方法由防火牆重組、限制、關閉碎 片包轉發。 • component-block Selectively blocks HTTP traffic containing any of the following components: - activex ActiveX controls - java Java applets - exe .EXE files - zip ZIP files An attacker can use any of these components to load an application (a Trojan Horse) on a protected host, then use the application to gain control of the host. If you enable the blocking of HTTP components without specifying which components, the NetScreen device blocks them all. Alternatively, you can configure the NetScreen device to block only specified components. Note: If you enable ActiveX-blocking, the NetScreen device also blocks packets containing Java applets, .exe files, and .zip files because they might be contained within an ActiveX control. 關閉ActiveX選項同時也關閉其餘三項,企業核心應用中除非必要不建議啟用該選項。 • fin-no-ack Detects an illegal combination of flags, and rejects packets that have them. TCP 連接拆除時fin置位但ACK沒有同時置位,屬於非正常拆鏈。會對系統帶來安全隱患:1、有些系統會發送RST片段作為響應,有些則不會。這會給攻擊者提 供操作系統線索。2、攻擊者在執行地址和端口掃瞄時躲避檢測,以及通過執行 FIN 氾濫攻擊來躲避對 SYN 氾濫攻擊的防禦部署建議:先檢查網絡應用,確認是否存在該類非常規的應用。 • icmp-flood [ threshold number ] Detects and prevents Internet Control Message Protocol (ICMP) floods. An ICMP flood occurs when ICMP echo requests are broadcast with the purpose of flooding a system with so much data that it first slows down, and then times out and is disconnected. The threshold defines the number of ICMP packets per second allowed to ping the same destination address before the NetScreen device rejects further ICMP packets. The range is 1 to 1,000,000. ICMP協議在網絡維護及PMTU發現等很多方面均發揮重要作用,因此不建議在設備上關閉ICMP協議,為有效解決ICMP Flood問題,建議在網絡的邊緣對ICMP協議做帶寬限制。這樣既能夠充分利用ICMP協議也能拒絕攻擊行為。 • icmp-fragment Detects and drops any ICMP frame with the More Fragments flag set, or with an offset indicated in the offset field. ICMP分片,屬於異常流量,可以考慮在必要時啟用該項功能。 • icmp-large Detects and drops any ICMP frame with an IP length greater the 1024. ICMP大包,屬於異常流量,可以考慮在必要時啟用該項功能。如果邊緣網絡設備能夠處理這類比較易於判斷的包,建議由邊緣設備來分擔一些攻擊防護功能,形成分層防護機制。 • ip-bad-option Detects and drops any packet with an incorrectly formatted IP option in the IP packet header. The NetScreen device records the event in the SCREEN counters list for the ingress interface. 可以對IP包格式進行合法性檢查,檢查的依據主要根據最新的RFC協議規範來進行。可以對不符合規範要求的包進行丟棄處理。由於銀行很多應用是自行研發的,所以無法嚴格要求用RFC協議規範來檢查,因此不建議在銀行網絡中啟用該功能。 • ip-filter-src Detects and drops all packets with the Source Route Option enabled. The Source Route Option can allow an attacker to use a false IP address to access a network, and receive returned traffic addressed to the real IP address of the attacker's host device. The administrator can block all IP Source Routed frames having Strict Source Routing (or Loose Source Routing) enabled. 預先指定網絡訪問路徑的數據包通常被認為是可疑的數據包,除非銀行網絡中有業務使用了該項技術。否則容許該項功能將為黑客的入侵攻擊帶來便利條件。 • ip-loose-src-route Detects packets where the IP option is 3 (Loose Source Routing) and records the event in the SCREEN counters list for the ingress interface. This option specifies a partial route list for a packet to take on its journey from source to destination. The packet must proceed in the order of addresses specified, but it is allowed to pass through other routers in between those specified. 同上,建議通過邊緣接入路由器來關閉該功能 • ip-record-route Detects packets where the IP option is 7 (Record Route) and records the event in the SCREEN counters list for the ingress interface. 同上 • ip-security-opt Detects packets where the IP option is 2 (security) and records the event in the SCREEN counters list for the ingress interface. IP option為2的包可以認為是可疑數據包,因為該選項沒有什麼具體應用。 • ip-spoofing Prevents spoofing attacks. Spoofing attacks occur when unauthorized agents attempt to bypass firewall security by imitating valid client IP addresses. Using the ip-spoofing option invalidates such false source IP address connections. Only NetScreen devices running in NAT or Route mode can use this option. The drop-no-rpf-route option instructs the NetScreen device to drop any packet that is not contained in the route table, for example, the device drops the packet if it does not contain a source route, or if the source IP address is reserved (non-routable, as with 127.0.0.1). IP 欺騙:在封包包頭中插入虛假的源地址,以使該封包看似發自信任來源。NetScreen 實現方式:1、接口工作在路由或 NAT 模式下時,檢測 IP 欺騙的機制依賴於路由表條目(根據包的源地址在路由表中反向查找)。 如 果封包中的源 IP 地址不在路由表中,則在缺省情況下 NetScreen 設備允許該封包通過 ( 如果有策略允許)。set zone zone screen ip-spoofing drop-no-rpf-route 可以指示 NetScreen 設備丟棄源 IP地址不在路由表中的任何封包,其中zone是封包始發區。 2、透明模式下,NS利用地址簿和zone以及接口的綁定關係來決定包是否帶有欺騙性。 • ip-stream-opt Detects packets where the IP option is 8 (Stream ID) and records the event in the SCREEN counters list for the ingress interface. IP option為8可以認為是可疑數據包,因為該選項沒有什麼具體應用。 • ip-strict-src-route Detects packets where the IP option is 9 (Strict Source Routing) and records the event in the SCREEN counters list for the ingress interface. This option specifies the complete route list for a packet to take on its journey from source to destination. The last address in the list replaces the address in the destination field. 嚴格源地址路由,可疑數據包 ip-sweep threshold number Detects and prevents an IP Sweep attack. An IP Sweep attack occurs when an attacker sends ICMP echo requests (pings) to multiple destination addresses. If a target host replies, it reveals the target's IP address to the attacker. Set the IP Sweep threshold to between 1 and 1,000,000 microseconds. Each time ICMP echo requests occur with greater frequency than this limit, the NetScreen device drops further echo requests from the remote source address. IP地址掃瞄攻擊,當一個源 IP 地址在規定的時間間隔 ( 缺省值為 5000 微秒=0.005秒) 內將 10 個 ICMP 封包發送給不同的主機時,即進行了一次地址掃瞄,後續的ICMP封包將會被丟棄。 • ip-timestamp-opt Detects packets where the IP option list includes option 4 (Internet Timestamp) and records the event in the SCREEN counters list for the ingress interface. 記錄每跳路徑時間戳的IP包,疑似攻擊包 • land Prevents Land attacks by combining the SYN flood defense mechanism with IP spoofing protection. Land attacks occur when an attacker sends spoofed IP packets with headers containing the target's IP address for both the source and destination IP addresses. The attacker sends these packets with the SYN flag set to any available port. This induces the target to create empty sessions with itself, filling its session table and overwhelming its resources. 陸 地攻擊:將SYN攻擊和IP欺騙有機結合在一起。受害主機給自己發送 SYN-ACK 封包來進行響應,同時創建一個空的連接,該連接將會一直保持到達到空閒超時值為止。向系統堆積過多的這種空連接會耗盡系統資源,導致 DoS攻擊。NS實現方法:檢查源/目的地址是否相同,源地址是否存在IP欺騙,是否存在SYN攻擊。 • limit-session [ source-ip-based number | destination-ip-based number ] Limits the number of concurrent sessions the device can initiate from a single source IP address, or the number of sessions it can direct to a single destination IP address. By default, the limit is 128 sessions. Limit value range is 1 to 49,999. DOS攻擊:限定基於源或目的地址的單位時間轉發包數量,限制目的地址將會對正常業務帶來影響。如果源地址非常分散,將造成DDOS攻擊,很難防範。設置的閥值應根據平時的baseline得出(擴大10-20%)。 • mal-URL [ name_str id_str number | code-red ] Sets up a filter that scans HTTP packets for suspect URLs. The NetScreen device drops packets that contain such URLs. The code-red switch enables blocking of the Code Red worm virus. Using the name_str option works as follows. - name_str A user-defined identification name. - id_str Specifies the starting pattern to search for in the HTTP packet. Typically, this starting pattern begins with the HTTP command GET, followed by at least one space, plus the beginning of a URL. (The NetScreen device treats multiple spaces between the command 「GET」 and the character 「/」 at the start of the URL as a single space.) - number Specifies a minimum length for the URL before the CR-LF. • ping-of-death Detects and rejects oversized and irregular ICMP packets. Although the TCP/IP specification requires a specific packet size, many ping implementations allow larger packet sizes.This can trigger a range of adverse system reactions including crashing, freezing, and restarting. Ping超過65535大小的IMCP包,將會造成一些系統的宕機。目前基本上主流的操作系統均已修復這項漏洞,這樣的安全隱患比較少。 port-scan threshold number Prevents port scan attacks. A port scan attack occurs when an attacker sends packets with different port numbers to scan available services. The attack succeeds if a port responds. To prevent this attack, the NetScreen device internally logs the number of different ports scanned from a single remote source. For example, if a remote host scans 10 ports in 0.005 seconds (equivalent to 5000 microseconds, the default threshold setting), the NetScreen device flags this as a port scan attack, and rejects further packets from the remote source. The port-scan threshold number value determines the threshold setting, which can be from 1000 to 1,000,000 microseconds. 端口掃瞄,類似IP掃瞄 • syn-ack-ack-proxy Prevents the SYN ACK ACK attack. Such an attach occurs when the attacker establishes multiple Telnet sessions without allowing each session to terminate. This consumes all open slots, generating a Denial of Service condition. • syn-fin Detects an illegal combination of flags attackers can use to consume sessions on the target device, thus resulting in a denial of service. 不合規範的IP包(往往在標誌位上做文章) • syn-flood Detects and prevents SYN flood attacks. Such attacks occur when the connecting host continuously sends TCP SYN requests without replying to the corresponding ACK responses. - alarm-threshold number Defines the number of proxied, half-complete connections per second at which the NetScreen device makes enteries in the event alarm log. - attack_threshold number Defines the number of SYN packets per second required to trigger the SYN proxying mechanism. - destination-threshold number Specifies the number of SYN segments received per second for a single destination IP address before the NetScreen device begins dropping connection requests to that destination. If a protected host runs multiple services, you might want to set a threshold based on destination IP address only-regardless of the destination port number. - drop-unknown-mac Drops packets when they contain unknown destination MAC addresses. - queue-size number Defines the number of proxied connection requests held in the proxied connection queue before the system starts rejecting new connection requests. - source-threshold number Specifies the number of SYN segments received per second from a single source IP address (regardless of the destination IP address and port number) before the NetScreen device begins dropping connection requests from that source. - timeout number Defines the maximum length of time before a half-completed connection is dropped from the queue. You can set it between 1 and 50 seconds. syn-frag Detects a SYN fragment attack, and drops any packet fragments used for the attack. A SYN fragment attack floods the target host with SYN packet fragments. The host caches these fragments,waiting for the remaining fragments to arrive so it can reassemble them. By flooding a server or host with connections that cannot be completed, the host's memory buffer eventually fills. No further connections are possible, and damage to the host's operating system can occur. 著名的syn-flood攻擊防禦,參數比較多,具體參數大小需要結合平常session數量設置。建議放大20%余量。 • tcp-no-flag Drops an illegal packet with missing or malformed flags field. 丟棄不含或含不規範標誌位的TCP包 • tear-drop Blocks the Teardrop attack. Teardrop attacks occur when fragmented IP packets overlap and cause the host attempting to reassemble the packets to crash. The tear-drop option directs theNetScreen device to drop any packets that have such a discrepancy. 利用一些OS存在IP碎片重組算法漏洞,當碎片偏移量被認為設置時,易導致操作系統崩潰。 • udp-flood threshold number UDP flooding occurs when an attacker sends UDP packets to slow down the system to the point that it can no longer process valid connection requests. The threshold number parameter is the number of packets allowed per second to the same destination IP address/port pair. When the number of packets exceeds this value within any one-second period, the NetScreen device generates an alarm and drops subsequent packets for the remainder of that second. The valid range is from 1 to 1,000,000. Udp-flood 防護,如果網絡中沒有主用的UDP程序,建議可以將該值設的低一些,可以減少帶寬和session的佔用。 • unknown-protocol Discards all received IP frames with protocol numbers greater than 135. Such protocol numbers are undefined or reserved. 丟棄協議號未知的數據包 • winnuke Detects attacks on Windows NetBios communications, modifies the packet as necessary, and passes it on. (Each WinNuke attack triggers an attack log entry in the event alarm log.) 使用TCP445端口的病毒程序 |
2008年3月21日 星期五
netscreen 攻擊防禦命令介紹
【下列文章您可能也有興趣】
訂閱:
張貼留言 (Atom)
沒有留言:
張貼留言