ServerIron ADX Security Guide 129
53-1002440-03
DDoS protection 5
Configuring a rule for ip-option attack types
ServerIron ADX has a set of built-in rules to manage ip-option attack types. In this case, the rule
command is used with a <ip-option-attack> variable specified in Table 14.
The following example configures the "filter2" security filter with a rule to drop packets that are
associated with a ip-option record-route attack.
ServerIronADX(config)# security filter filter2
ServerIronADX(config-sec-filter2)#rule ip-option record-route drop
Syntax: [no] rule ip-option <ip-option-attack> [log | no-log] [drop | no-drop]
The <ip-option-attack> variable is specified as one of the options described in Table 14.
The log parameter directs the ServerIron ADX to log traffic on the bound interface that matches the
rule specified by the configured <ip-option-attack>. The no-log parameter disables this
function.
The drop parameter directs the ServerIron ADX to drop traffic on the bound interface that matches
the rule specified by the configured <ip-option-attack>. The no-drop parameter disables this
function
TABLE 14 ip-option attack types and descriptions
Attack Type Description
ip-option record-route The record-route option records the path of the packet, which an attacker
can analyze to learn details about a network’s addressing scheme and
topology.
Use ip-option record-route to drop packets with IP option 7 (record route) set.
ip-option strict-source-route The strict-source option provides a means for the source of a packet to
supply routing information to the gateways forwarding the packet to the
destination, and to record the route information.
With this option, an attacker can gain knowledge on the network’s
addressing scheme.
Use ip-option strict-source-route to drop packets having IP option 9 (strict
source routing).
ip-option loose-source-route The loose-source option provides a means for the source of the packet to
supply routing information to be used by the gateways in forwarding the
packet to the destination.
This option is different from strict-source route because gateway or host IP is
allowed to use any route of any number of other intermedi ate gateways to
reach the next address in the route. With this option, an attacker can gain
knowledge on the network’s addressing scheme.
Use ip-option loose-source-route to drop packets that have IP option 3 (loose
source routing).
ip-option timestamp Use ip-option timestamp to drop packets where IP option list includes option
4 (Internet timestamp).
ip-option stream-id The stream-ID option provides a way for the 16-bit SATNET stream identifier
to be carried through networks that do not support the stream concept.
Use ip-option stream-id to drop packets where the IP option is 8 (stream ID).