User`s guide
XSR User’s Guide 327
Chapter 13 XSR Firewall Feature Set Functionality
Configuring Security on the XSR
Application Level Gateway - Support for FTP and H.323 version 2 protocols
Denial of Service (DoS) attack protection - Security for internal hosts against a
common set of DoS attacks when the firewall is enabled (globally and per
interface). The firewall also uses the XSR’s HostDoS feature to perform anti-
spoofing - it enforces hostDos checkspoof for any firewall-enabled interface
regardless of the hostDoS checkspoof setting. Checkspoofing is perfomred by
validating the source IP address against the Routing table. If a packet is
received from an interface with a source IP address that is not routable
through this interface, it is considered spoofed and dropped. See the XSR CLI
Reference Guide for more information.
A high priority log is generated when DoS attacks are detected. The following
DoS attacks are covered:
Anti-Spoofing - In response to a spoof attack, the firewall drops all
packets with a source address belonging to an internal network when
received from an external interface. Packets from an internal interface
with a source address not in the network will also be dropped.
ICMP Flood - In response to ICMP echo requests that are received
from different source addresses at a very high rate, the firewall sets a
rate limit of ICMP echo requests processed per second.
Ping of Death - In response, fragmented echo requests are dropped.
Smurf attack - In response to a smurf attack where ICMP echo requests
with the directed broadcast address is the destination and the source
is any host, the firewall will filter echo requests to directed broadcasts
or all directed broadcast packets.
SYN Flood - In response to a continuous stream of TCP open packets
(SYN bit set) targeting an address, the firewall will limit the number
of half-open TCP connections and set a max rate of TCP links.
Tear drop - In response to receiving IP fragments that overlap, the
firewall will track fragments received for every session, detect bad
offsets and drop the entire packet (all fragments).
Christmas Tree - When a TCP packet is received with all flags set, TCP
packets with any two of the SYN, FIN or RST bits set are dropped.
LANd - In response to receiving a TCP SYNC packet with the same
source and destination address, the firewall will drop any packet
with same source and destination address.