Configuring a rule for icmp-type options, Table 11 – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual
Page 102
90
Brocade Virtual ADX Security Guide
53-1003250-01
DDoS protection
5
The log parameter directs the Brocade Virtual ADX to log traffic on the bound interface that
matches the rule specified by the configured ip-option-attack variable. The no-log parameter
disables this function.
The drop parameter directs the Brocade Virtual ADX to drop traffic on the bound interface that
matches the rule specified by the configured ip-option-attack variable. The no-drop parameter
disables this function.
Configuring a rule for icmp-type options
Brocade Virtual ADX has a set of built-in rules to manage icmp-type options. In this case, the
rule-icmp-type command is used with a icmp-option-attack variable specified in
The following example configures the "filter3" security filter with a rule to drop packets that contain
the icmp-type echo-reply type.
Virtual ADX(config)#security filter filter3
Virtual ADX(config-sec-filter3)#rule icmp-type echo-reply drop
Syntax: [no] rule icmp-type icmp-type [log | no-log] [drop | no-drop]
The icmp-type variable can be one of the options described in
The log parameter directs the Brocade Virtual ADX to drop traffic on the bound interface that
matches the rule specified by the configured icmp-type. The no-log parameter disables this
function.
TABLE 11
ip-option attack types and descriptions
Attack Type
Description
ip-option record-route
The record-route option records the path of the packet, which an attacker can
analyze to learn details about a network addressing scheme and topology.
Use ip-option record-route to drop packets with IP option 7 (record route) set.
ip-option strict-source-route
The strict-source option provides a means for the source of a packet to supply
routing information to the gateways forwarding the packet to the destination,
and to record the route information.
With this option, an attacker can gain knowledge on the network addressing
scheme.
Use ip-option strict-source-route to drop packets having IP option 9 (strict
source routing).
ip-option loose-source-route
The loose-source option provides a means for the source of the packet to
supply routing information to be used by the gateways in forwarding the
packet to the destination.
This option is different from strict-source route because gateway or host IP is
allowed to use any route of any number of other intermediate gateways to
reach the next address in the route. With this option, an attacker can gain
knowledge on the network addressing scheme.
Use ip-option loose-source-route to drop packets that have IP option 3 (loose
source routing).
ip-option timestamp
Use ip-option timestamp to drop packets where IP option list includes option
4 (Internet timestamp).
ip-option stream-id
The stream-ID option provides a way for the 16-bit SATNET stream identifier to
be carried through networks that do not support the stream concept.
Use ip-option stream-id to drop packets where the IP option is 8 (stream ID).