In the preceding section, we addressed many of the basic IP attacks. This section discusses how to block additional common attacks, and the tricks you can use to circumvent other prevention mechanisms.
Blocking these basic IP attacks at a screen level lessens the load on the IPS layer (as many of these attacks can also be blocked there, albeit at the expense of more processing and evaluation).
One common IP attack is the malformed packet. Attackers and security researchers have found that incorrectly formatting packets or sending incomplete packets can produce unintended consequences on both network infrastructure and end hosts. It is not unheard of to witness these types of packets crashing services or even the server itself. Today’s operating systems tend to prevent this from happening, but it is a best practice to block such packets before they enter your network and reach your end hosts. Let’s enter the security screen:
edit security screen[edit security screen] juniper@SRX5800#
set ids-option untrusted-internet ip bad-option
Along the same lines as the malformed packet that should never be seen as legitimate traffic entering the network, it is also best to block IP packets with an unknown protocol ID:
[edit security screen] juniper@SRX5800#
set ids-option untrusted-internet ip unknown-protocol
Fragments are often used to circumvent attack preventions and detections by splitting ...