Screen Options

1. Select any one or all the SCREEN options you require and enter valid information where necessary, such as for thresholds values. You can select Check All to select all SCREEN options or Clear All to clear all selected SCREEN options.

Note: Enabling all SCREEN options might adversely affect processing performance.

2. Click Apply to save your settings.

For information on the different SCREEN options, see the following sections.

Although you typically want the security device to block exploits, there might be times when you want to gather intelligence about them. You might want to learn specifically about a particular exploit—to discover its intention, its sophistication, and possibly (if the attacker is careless or unsophisticated) its source.

Check this option to instruct the security device to notify you of an exploit, but instead of taking action, the security device allows the exploit to transpire.

An ICMP flood occurs when ICMP echo requests overload its victim with so many requests that it expends all its resources responding until it can no longer process valid network traffic. When enabling the ICMP flood protection feature, you can set a threshold that once exceeded invokes the ICMP flood attack protection feature. (The default threshold value is 1000 packets per second.) If the threshold is exceeded, the security device ignores further ICMP echo requests for the remainder of that second plus the next second as well.

There are different types of ICMP messages, each with their own purpose.

A UDP flood occurs when an attacker sends IP packets containing UDPdatagrams with the purpose of slowing down the victim to the point that it can no longer handle valid connections. After enabling the UDP flood protection feature, you can set a threshold that once exceeded invokes the UDP flood attack protection feature. (The default threshold value is 1000 packets per second.) If the number of UDPdatagrams from one or more sources to a single destination exceeds this threshold, the security device ignores further UDPdatagrams to that destination for the remainder of that second plus the next second as well.

Note: To specify destination addresses to protect from UDP flooding, click the Destination IP button.

A SYN flood attack occurs when a network becomes so overwhelmed by SYN packets initiating connection requests that cannot be completed that it can no longer process legitimate connection requests, resulting in a denial of service (DoS).

You can set the following parameters when configuring the SYN flood protection feature:

• Threshold: The number of SYN packets per second required to trigger the SYN proxy mechanism.

• Alarm Threshold: The number of proxied, half-complete connections per second at which an alarm is entered in the Event Alarm log. The value you set for an alarm threshold triggers an alarm when the number of proxied, half-completed connections per second exceeds that value. For example, if the SYN threshold is set at 2000 SYN packets per second and the alarm at 1000, then a total of 3001 SYN packets per second are required to trigger an alarm entry in the log.

• Source Threshold: This option allows you to specify the maximum number of SYN segments received per second from a single source IP address—regardless of the destination IP address and port number—before the security device begins dropping connection requests from that source.

Tracking a SYN flood by source address uses different detection parameters from tracking a SYN flood by destination address and destination port number. When you set a SYN attack threshold and a source threshold, you put both the basic SYN flood protection mechanism and the source-based SYN flood tracking mechanism in effect.

• Destination Threshold: This option allows you to specify the maximum number of SYN segments received per second for a single destination IP address before the security device begins dropping connection requests to that destination. If a protected host runs multiple services, you might want to set a threshold based on destination IP address only—regardless of the destination port number.

When you set a SYN attack threshold and a destination threshold, you put both the basic SYN flood protection mechanism and the destination-based SYN flood tracking mechanism in effect.

• Timeout Value: The maximum length of time before a half-completed connection is dropped from the queue. The default is 20 seconds, and you can set the timeout from 0–50 seconds.

• Queue Size: The number of proxied connection requests held in the proxied connection queue before the system starts rejecting new connection requests.

• Drop Unknown MAC (Xparent Mode Only): By default, a security device in Transparent mode that has detected a SYN attack passes SYN packets containing unknown MAC addresses. Select this option to instruct the device to drop SYN packets containing unknown destination MAC addresses instead of letting them pass.

Malicious Java applets can be hidden in Web pages. When downloaded, these applets install a Trojan horse on a host in the protected network. When you enable the blocking of Java applets in a security zone, the security device blocks all embedded Java applets in HTTP traffic that arrives at any interface bound to that zone.

Malicious ActiveX controls can be hidden in Web pages. When downloaded, these controls can install a Trojan horse on a host in the protected network. When you enable the blocking of ActiveX controls in a security zone, the security device blocks all embedded ActiveX controls in HTTP traffic that arrives at any interface bound to that zone.

Because an ActiveX control can contain a Java applet, .exe file, or .zip file, when you enable the blocking of ActiveX controls in a security zone, the security device also blocks these components as well.

A .zip file can contain one or more .exe files that, when downloaded from a Web site, can install a Trojan horse on a host in the protected network. When you enable the blocking of .zip files in a security zone, the security device blocks all .zip files in HTTP traffic that arrives at any interface bound to that zone.

When downloaded from a Web site, a malicious .exe file can install a Trojan horse on a host in the protected network. When you enable the blocking of .exe files in a security zone, the security device blocks all .exe files in HTTP traffic that arrives at any interface bound to that zone.

WinNuke is a DoS attack targeting any computer on the Internet running Windows. The attacker sends a TCP segment—usually to NetBIOS port 139 with the urgent (URG) flag set—to a host with an established connection. This introduces a NetBIOS fragment overlap, which causes many machines running Windows to crash. After rebooting, the following message appears, indicating that an attack has occurred:

An exceptionOE has occurred at 0028:[address] in VxD MSTCP(01) +
000041AE. This was called from 0028:[address] in VxD NDIS(01) +
00008660. It may be possible to continue normally.

Press any key to attempt to continue.

Press CTRL+ALT+DEL to restart your computer. You will lose any unsaved information in all applications.

Press any key to continue.

If you enable the WinNuke attack defense SCREEN option, the security device scans any incoming Microsoft NetBIOS session service (port 139) packets. If the security device observes that the URG flag is set in one of those packets, it unsets the URG flag, clears the URG pointer, forwards the modified packet, and makes an entry in the event log noting that it has blocked an attempted WinNuke attack

Spoofing attacks occur when an attacker attempts to bypass the firewall security by imitating a valid client IP address. When IP Spoofing defense is enabled for a particular zone, the security device checks the source IP address of packets arriving at any interface bound to that zone against its route tables (when operating at Layer 3) or its address books (if operating at Layer 2). If the route table lookup (L3) or address book lookup (L2) indicates that the source IP address in the packet belongs to a different zone than the one to which the interface receiving the packet is bound, the security device drops that packet.

An address sweep occurs when one source IP address sends 10 ICMP packets to different hosts within a defined interval (5000 microseconds is the default). The purpose of this scheme is to send ICMP packets—typically echo requests—to various hosts in the hopes that at least one replies, thus uncovering an address to target. The security device internally logs the number of ICMP packets to different addresses from one remote source. Using the default settings, if a remote host sends ICMP traffic to 10 addresses in 0.005 seconds (5000 microseconds), the security device flags this as an address sweep attack, and rejects the 11th and all further ICMP packets from that host for the remainder of that second.

You can set the IP Address Sweep threshold between 1 and 1,000,000 microseconds.

A port scan occurs when one source IP address sends IP packets containing TCP SYN segments to 10 different ports at the same destination IP address within a defined interval (5000 microseconds is the default). The purpose of this scheme is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target. The security device internally logs the number of different ports scanned from one remote source. Using the default settings, if a remote host scans 10 ports in 0.005 seconds (5000 microseconds), the security device flags this as a port scan attack, and rejects all further packets from the remote source (regardless of the destination IP address) for the remainder of that second.

You can set the threshold to a value between 1000 and 1,000,000 microseconds

The TCP/IP specification requires a specific packet size for datagram transmission. Many ping implementations allow the user to specify a larger packet size if desired. A grossly oversized ICMP packet can trigger a range of adverse system reactions such as denial of service (DoS), crashing, freezing, and rebooting. If you enable the security device to do so, it can detect and reject such oversized and irregular packet sizes.

Teardrop attacks exploit the reassembly of fragmented IP packets. In the IP header, one of the options is offset. When the sum of the offset and size of one fragmented packet differ from that of the next fragmented packet, the packets overlap and the server attempting to reassemble the packet can crash. If the security device sees this discrepancy in a fragmented packet, it drops it.

The security device detects and blocks any ICMP frame with the More Fragments flag set, or with an offset indicated in the offset field.

Because ICMP packets contain very short messages, there is no legitimate reason for large ICMP packets. When you enable the Large Size ICMP Packet Protection SCREEN option, the security device checks drops ICMP packets with a length greater than 1024 bytes.

As packets traverse different networks, it is sometimes necessary to break a packet into smaller pieces (fragments) based upon the network's maximum transmission unit (MTU).

IP fragments may carry an attacker's attempt to exploit the vulnerabilities in the packet reassembly code of specific IP stack implementations. When the target system receives these packets, the results range from not processing the packets correctly to crashing the entire system. When this option is enabled, the security device blocks all IP packet fragments.

Combining a SYN attack with IP spoofing, a Land attack occurs when an attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address. The receiving system responds by sending the SYN-ACK packet to itself, creating an empty connection that lasts until the idle timeout value is reached. Flooding a system with such empty connections can overwhelm the system, causing a DoS. By combining elements of the SYN flood defense and IP Spoofing protection, the security device blocks any attempts of this nature.

When an authentication user initiates a Telnet or FTP connection, the user sends a SYN packet to the Telnet or FTP server. The security device intercepts the packet and proxies a SYN-ACK packet to the user. The user then replies with an ACK packet. At that point, the initial 3-way handshake is complete. The security device creates an entry in its session table and sends a login prompt to the user. If the user, with malicious intent, does not log in, but instead continues initiating SYN-ACK-ACK sessions, the session table on the security device can fill up to the point where the device begins rejecting legitimate connection requests.

To thwart such an attack, you can enable the SYN-ACK-ACK proxy protection SCREEN option. After the number of connections from the same IP address reaches the syn-ack-ack-proxy threshold, the security device rejects further connection requests from that IP address. By default, the threshold is 512 connections from any single IP address. You can change this threshold (to any number between 1 and 250,000) to better suit the requirements of your network environment.

This option limits the number of sessions from a single IP address. After the number of sessions from the same source IP address has reached the session threshold, the security device rejects any further attempts to initiate a session from that IP address. By default, the threshold is 128 sessions per IP address. You can change the threshold (to any number from 1 to 49,999) to better suit the needs of your network environment.

This SCREEN option helps defend against denial-of-service (DoS) attacks that attempt to fill up the session table on the security device to the point where it can no longer process legitimate connection requests.

This option limits the number of sessions to a single IP address. After the number of sessions to the same destination IP address has reached the session threshold, the security device rejects any further attempts to initiate a session to that IP address. By default, the threshold is 128 sessions per IP address. You can change the threshold (to any number from 1 to 49,999) to better suit the needs of your network environment.

This SCREEN option helps defend against distributed denial-of-service (DDoS) attacks targeting a single IP address. Such attacks attempt to fill up the session table on the security device to the point where it can no longer process legitimate connection requests.

The security device blocks packets when the list of IP options in the IP datagram header is incomplete or malformed.

The security device detects packets where the IP option list includes option 4 (Internet Timestamp) and records the event in the SCREEN counters list for the ingress interface.

The security device detects packets where the IP option is 2 (security) and records the event in the SCREEN counters list for the ingress interface. This IP option provides a way for hosts to send security, compartmentation,TCC (closed user group) parameters, and Handling Restriction Codes compatible with DOD requirements.

The security device detects packets where the IP option is 8 (Stream ID) and records the event in the SCREEN counters list for the ingress interface. This option provides a way for the 16-bitSATNET stream identifier to be carried through networks that do not support the stream concept.

The security device detects packets where the IP option is 7 (Record Route) and records the event in the SCREEN counters list for the ingress interface. This option is used to record the route of a packet. A recorded route is composed of a series of internet addresses, which an outsider can analyze to learn details about your networks addressing scheme and topology.

The security device detects packets where the IP option is 3 (Loose Source Routing) and records the event in the SCREEN counters list for the ingress interface. This option provides a means for the source of a packet to supply routing information to be used by the gateways in forwarding the packet to the destination. This option is a loose source route because the gateway or host IP is allowed to use any route of any number of other intermediate gateways to reach the next address in the route.

The security device detects packets where the IP option is 9 (Strict Source Routing) and records the event in the SCREEN counters list for the ingress interface. This option provides a means for the source of a packet to supply routing information to be used by the gateways in forwarding the packet to the destination. This option is a strict source route because the gateway or host IP must send the datagram directly to the next address in the source route, and only through the directly connected network indicated in the next address to reach the next gateway or host specified in the route.

IP header information has an option to contain routing information that may specify a different source than the header source. Enable this option to block all IP traffic that employs the Source Route Option. Source Route Option can allow an attacker to enter a network with a false IP address and have data sent back to his real address.

The Internet Protocol (IP) encapsulates a Transmission Control Protocol (TCP) SYN segment in the IP packet that initiates a TCP connection. Because the purpose of this packet is to initiate a connection and invoke a SYN/ACK segment in response, the SYN segment typically does not contain any data. Because the IP packet is small, there is no legitimate reason for it to be fragmented.

When you enable the SYN Fragment Detection SCREEN option, the NetScreen device detects packets when the IP header indicates that the packet has been fragmented and the SYN flag is set in the TCP header.

The normal TCP segment header has at least one flag control set. A TCP segment with no control flags set is an anomalous event. Because different operating systems respond differently to such anomalies, the response (or lack of response) from the targeted device can provide a clue as to the type of OS it is running.

When you enable the security device to detect TCP segment headers with no flags set, the security device drops all TCP packets with a missing or malformed flags field.

Both the SYN and FIN flags are not normally set in the same packet. However, an attacker can send a packet with both flags set to see what kind of system reply is returned and thereby determine what kind of system is on the receiving end.  The attacker can then use any known system vulnerabilities for further attacks.  Enable this option to have the security device drop packets that have both the SYN and FIN bits set in the flags field.

The security device checks if the FIN flag is set but not the ACK flag in TCP headers. If it discovers a packet with such a header, it drops the packet.

The security device drops packets where the protocol field is set to 137 or greater. These protocol types are reserved and undefined at this time. Precisely because these protocols are undefined, there is no way to know in advance if a particular unknown protocol is benign or malicious. Unless your network makes use of a non-standard protocol with an ID number of 137 or greater, a cautious stance is to block such unknown elements from entering your protected network.

When you enable the Unknown Protocol Protection SCREEN option, the security device drops packets when the protocol field is contains a protocol ID number of 137 or greater.