Nortel 4134 用户指南
82
Firewall and NAT configuration
Variable
Value
When this command is enabled, the DNS connection limit
is 2000.
By default, this option is enabled.
is 2000.
By default, this option is enabled.
ftp-bounce
Enables/disables FTP bounce check.
In a bounce attack, the hacker uploads a file to the FTP
(File Transfer Protocol) server and then requests this
file to be sent to an internal server. The file can contain
malicious software that destroys data, or it can contain
a simple script that executes instructions on the internal
server that uses up all the memory and CPU resources.
By default, this option is disabled.
In a bounce attack, the hacker uploads a file to the FTP
(File Transfer Protocol) server and then requests this
file to be sent to an internal server. The file can contain
malicious software that destroys data, or it can contain
a simple script that executes instructions on the internal
server that uses up all the memory and CPU resources.
By default, this option is disabled.
icmp-error
Enables/disables ICMP error check.
The icmp-error attacks target ICMP (Internet Control
Message Protocol) error reporting system. By constructing
packets that generate ICMP error responses, an attacker
can overwhelm a server’s incoming network and cause
the server to overwhelm its outgoing network with ICMP
responses.
By default, this option is enabled.
The icmp-error attacks target ICMP (Internet Control
Message Protocol) error reporting system. By constructing
packets that generate ICMP error responses, an attacker
can overwhelm a server’s incoming network and cause
the server to overwhelm its outgoing network with ICMP
responses.
By default, this option is enabled.
ip-unaligned-time
stamp
stamp
Enables/disables IP unaligned timestamp.
Provides support for an unaligned IP timestamp check.
Some operating systems crash if they receive a frame with
the IP timestamp option not aligned on a 32-bit boundary.
By default, this option is disabled.
Provides support for an unaligned IP timestamp check.
Some operating systems crash if they receive a frame with
the IP timestamp option not aligned on a 32-bit boundary.
By default, this option is disabled.
mime-flood
Enables/disables MIME flood check.
The MIME (Multipurpose Internet Mail Extensions) flood
attack is possible on a web server. Here the attacker
keeps sending numerous request headers of extremely
long lengths to the target web server. Over time (and with
enough headers), remote attackers can crash the web
server or consume massive CPU resources, memory, and
so on.
By default, this option is disabled.
The MIME (Multipurpose Internet Mail Extensions) flood
attack is possible on a web server. Here the attacker
keeps sending numerous request headers of extremely
long lengths to the target web server. Over time (and with
enough headers), remote attackers can crash the web
server or consume massive CPU resources, memory, and
so on.
By default, this option is disabled.
source-routing
Enables/disables source routing check.
After enabling source routing check, the firewall filters out
all the datagrams with the strict or loose source routing
option enabled.
By default, this option is disabled.
After enabling source routing check, the firewall filters out
all the datagrams with the strict or loose source routing
option enabled.
By default, this option is disabled.
syn-flooding
Enables/disables syn flooding check.
This option protects the Secure Router from syn-flooding
attacks.
By default, this option is enabled.
This option protects the Secure Router from syn-flooding
attacks.
By default, this option is enabled.
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.