1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
|
-- *******************************************************************
-- Juniper enterprise security screening objects MIB.
--
-- Copyright (c) 2001-2009, Juniper Networks, Inc.
-- All rights reserved.
--
-- The contents of this document are subject to change without notice.
-- *******************************************************************
JUNIPER-JS-SCREENING-MIB DEFINITIONS ::= BEGIN
IMPORTS
Integer32, Counter64,
NOTIFICATION-TYPE,
MODULE-IDENTITY, OBJECT-TYPE FROM SNMPv2-SMI
DisplayString FROM SNMPv2-TC
ifName FROM IF-MIB
jnxJsScreening FROM JUNIPER-JS-SMI;
jnxJsScreenMIB MODULE-IDENTITY
LAST-UPDATED "201404020000Z" -- Apr 02, 2014
ORGANIZATION "Juniper Networks, Inc."
CONTACT-INFO
"Juniper Technical Assistance Center
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, CA 94089
E-mail: support@juniper.net
HTTP://www.juniper.net"
DESCRIPTION
"This module defines the MIB for Juniper Enterprise Firewall
screen functionality. Juniper documentation is recommended
as the reference.
Juniper Security Firewall provides various detection methods
and defense mechanisms to combat exploits at all stages of
the path of execution. These includes:
Setting screen options
Firwall DOS attacks
Network DOS attack
OS specific DOS attack
Fragment reassembly
"
REVISION "201404020000Z" -- Apr 02, 2014
DESCRIPTION "Added IPv6 Tunneling Screen statistics MIBs
Add new trap var bindings for IPv6 Tunneling Screen"
REVISION "201311070000Z" -- Nov 07, 2013
DESCRIPTION "Added Udp Port Scan screen statistics MIBs
Add new trap var bindings for Udp Port Scan"
REVISION "201306060000Z" -- Jun. 06, 2013
DESCRIPTION "Added IPv6 screen statistics MIBs
Add new traps"
REVISION "201204061030Z" -- Apr 06, 2012
DESCRIPTION "Added TCP/UDP sweeping MIBs
Put trap to under routing category"
REVISION "200902040000Z" -- Feb 04, 2009
DESCRIPTION "Added following new trap tresholds:
jnxJsScreenSynFloodSrcThresh
jnxJsScreenSynFloodDstThresh
jnxJsScreenSessLimitSrcThresh
jnxJsScreenSessLimitDstThresh
Added following new counters:
jnxJsScreenMonSynFloodSrc
jnxJsScreenMonSynFloodDst
Deprecated following objects:
jnxJsScreenSynAttackQueSize
jnxJsScreenSynAttackAgeTime"
REVISION "200709240000Z" -- Sep 24, 2007
DESCRIPTION "Creation Date"
::= { jnxJsScreening 1 }
jnxJsScreenNotifications OBJECT IDENTIFIER ::= { jnxJsScreenMIB 0 }
jnxJsScreenObjects OBJECT IDENTIFIER ::= { jnxJsScreenMIB 1 }
jnxJsScreenTrapVars OBJECT IDENTIFIER ::= { jnxJsScreenMIB 2 }
-- ***************************************************************
-- Screening table
-- ***************************************************************
jnxJsScreenMonTable OBJECT-TYPE
SYNTAX SEQUENCE OF JnxJsScreenMonEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Juniper security Firewall can allow DI protection on each of
the device's physical interface. This table collects the
screen attributes that monitor the various attacks.
The screen options can be enabled at security zone bounded to
a interface or interfaces. When these options apply to traffic
reaching the device through interfaces (via a zone), they offers
protection against malicious information gathering probe or
an attack to compromise, disable, or harm a network or network
resources."
::= { jnxJsScreenObjects 1 }
jnxJsScreenMonEntry OBJECT-TYPE
SYNTAX JnxJsScreenMonEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The screen option monitoring statistics entry. Each
entry is uniquely identified by the zone name.
The data is collected on a per zone basis. There
can be multiple interfaces bound to a particular
zones. Hence, the statistics are aggregated across
the interfaces on a per zone basis.
"
INDEX { IMPLIED jnxJsScreenZoneName }
::= { jnxJsScreenMonTable 1 }
JnxJsScreenMonEntry ::= SEQUENCE
{
jnxJsScreenZoneName DisplayString,
jnxJsScreenNumOfIf Integer32,
jnxJsScreenMonSynAttk Counter64,
jnxJsScreenMonTearDrop Counter64,
jnxJsScreenMonSrcRoute Counter64,
jnxJsScreenMonPingDeath Counter64,
jnxJsScreenMonAddrSpoof Counter64,
jnxJsScreenMonLand Counter64,
jnxJsScreenMonIcmpFlood Counter64,
jnxJsScreenMonUdpFlood Counter64,
jnxJsScreenMonWinnuke Counter64,
jnxJsScreenMonPortScan Counter64,
jnxJsScreenMonIpSweep Counter64,
jnxJsScreenMonSynFrag Counter64,
jnxJsScreenMonTcpNoFlag Counter64,
jnxJsScreenMonIpUnknownProt Counter64,
jnxJsScreenMonIpOptBad Counter64,
jnxJsScreenMonIpOptRecRt Counter64, -- record route option
jnxJsScreenMonIpOptTimestamp Counter64, -- timestamp option
jnxJsScreenMonIpOptSecurity Counter64,
jnxJsScreenMonIpOptLSR Counter64, -- Loose source route
jnxJsScreenMonIpOptSSR Counter64, -- Strict source route
jnxJsScreenMonIpOptStream Counter64, -- stream options
jnxJsScreenMonIcmpFrag Counter64,
jnxJsScreenMonIcmpLarge Counter64,
jnxJsScreenMonTcpSynFin Counter64,
jnxJsScreenMonTcpFinNoAck Counter64,
jnxJsScreenMonLimitSessSrc Counter64, -- session-limit source ip based
jnxJsScreenMonLimitSessDest Counter64, -- session-limit dest ip based
jnxJsScreenMonSynAckAck Counter64,
jnxJsScreenMonIpFrag Counter64,
-- Threshold data --
jnxJsScreenSynAttackThresh Integer32,
jnxJsScreenSynAttackTimeout Integer32,
jnxJsScreenSynAttackAlmTh Integer32,
jnxJsScreenSynAttackQueSize Integer32,
jnxJsScreenSynAttackAgeTime Integer32,
jnxJsScreenIcmpFloodThresh Integer32,
jnxJsScreenUdpFloodThresh Integer32,
jnxJsScreenPortScanThresh Integer32,
jnxJsScreenIpSweepThresh Integer32,
jnxJsScreenSynAckAckThres Integer32,
-- IPv6 specific data --
jnxJsScreenMonIpv6ExtHdr Counter64,
jnxJsScreenMonIpv6HopOpt Counter64,
jnxJsScreenMonIpv6DstOpt Counter64,
jnxJsScreenMonIpv6ExtLimit Counter64,
jnxJsScreenMonIpMalIpv6 Counter64,
jnxJsScreenMonIcmpMalIcmpv6 Counter64,
jnxJsScreenIpv6ExtNumLim Integer32,
-- Other Screen data --
jnxJsScreenUdpPortScanThresh Integer32,
jnxJsScreenMonUdpPortScan Counter64,
jnxJsScreenMonIpTunnelGre6in4 Counter64,
jnxJsScreenMonIpTunnelGre4in6 Counter64,
jnxJsScreenMonIpTunnelGre6in6 Counter64,
jnxJsScreenMonIpTunnelGre4in4 Counter64,
jnxJsScreenMonIpTunnelIpInUdpTeredo Counter64,
jnxJsScreenMonIpTunnelBadInnerHeader Counter64,
jnxJsScreenMonIpTunnelIpIp6to4relay Counter64,
jnxJsScreenMonIpTunnelIpIp6in4 Counter64,
jnxJsScreenMonIpTunnelIpIp6over4 Counter64,
jnxJsScreenMonIpTunnelIpIp4in6 Counter64,
jnxJsScreenMonIpTunnelIpIp4in4 Counter64,
jnxJsScreenMonIpTunnelIpIp6in6 Counter64,
jnxJsScreenMonIpTunnelIpIpIsatap Counter64,
jnxJsScreenMonIpTunnelIpIpDsLite Counter64
}
jnxJsScreenZoneName OBJECT-TYPE
SYNTAX DisplayString (SIZE(1..255))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The name of the security zone under which the statistics
are collected. "
::= { jnxJsScreenMonEntry 1 }
jnxJsScreenNumOfIf OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of interfaces bound to this zone. Each counter
contains the aggregated data of all the interfaces"
::= { jnxJsScreenMonEntry 2 }
jnxJsScreenMonSynAttk OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The SYN (TCP connection request) attack is a common denial
of service (DoS) technique characterized by the following
pattern:
- Using a spoofed IP address not in use on the Internet,
an attacker sends multiple SYN packets to the target machine.
- For each SYN packet received, the target machine allocates
resources and sends an acknowledgement (SYN-ACK) to the source
IP address. This can cause the target machine to allocate
resources for more than 3 minutes to respond to just one i
SYN attack, hence wasting resources.
This attribute records the number of SYN attacks."
::= { jnxJsScreenMonEntry 3 }
jnxJsScreenMonTearDrop OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Teardrop attacks exploit the reassembly of fragmented IP
packets. In the IP header, one of the fields is the fragment
offset field, which indicates one of the fields is the fragment
offset field. It indicates the starting position of the data
contained in a fragmented packet relative to the data of the
original unfragmented packet. When the sum of the offset and
size of one fragmented packet differ from that of the next
fragmented packet, the packets overlap. The server attempting
to reassemble the packet can crash, especially if it is running
an older operating system that has this vulnerability.
When this option is enabled, the security device detects this
discrepancy in a fragmented packet and drops it and this
attribute counts the number of packets dropped."
::= { jnxJsScreenMonEntry 4 }
jnxJsScreenMonSrcRoute OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"IP source route options can be used to hide their true address
and access restricted areas of a network by specifying a
different path. The security device should be able to either
block any packets with loose or strict source route options
set or detect such packets and then record the event for the
ingress interface.
This attribute records either the loose source route option or
strict source route attack packets."
::= { jnxJsScreenMonEntry 5 }
jnxJsScreenMonPingDeath OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum allowable IP packet size is 65,535 bytes,
including the packet header (typically 20 bytes long).
An ICMP echo request is an IP packet with a pseudo header,
which is 8 bytes long. Therefore, the maximum allowable
size of the data area of an ICMP echo request is 65,507
bytes.
However, many ping implementations allow the user to specify
a packet size larger than 65,507 bytes. A grossly oversized
ICMP packet can trigger a range of adverse system reactions
such as denial of service (DoS), crashing, freezing, and
rebooting.
When the Ping Death option is enabled, the device detects and
rejects such oversized and irregular packet sizes even when
the attacker hides the total packet size by purposefully
fragmenting it.
This attributes counts the ping of death attack packets."
::= { jnxJsScreenMonEntry 6 }
jnxJsScreenMonAddrSpoof OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"One method to gain access to a restricted network is to insert
a bogus source address in the packet header to make the packet
appear to come from a trusted source. This technique is called
IP spoofing. The mechanism to detect IP spoofing relies on
route table entries.
For example, if a packet with source IP address 10.1.1.6 arrives
at port eth3, but the device has a route to 10.1.1.0/24 through
port eth1. IP spoofing checking notes that this address arrived
at an invalid interface as defined in the route table. A valid
packet from 10.1.1.6 can only arrive via eth1, not eth3. The
device concludes that the packet has a spoofed source IP address
and discards it.
This attribute records the address spoofing attack packets."
::= { jnxJsScreenMonEntry 7 }
jnxJsScreenMonLand OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A combined SYN attack with IP spoof is referred to as
Land attack. A Land attack occurs when an attacker sends
spoofed SYN packets containing the IP address of the victim as
both the destination and source IP address. The receiving
system responds by sending the SYN-ACK packet to itself,
creating an empty connection that lasts until the idle timeout
value is reached. Flooding a system with such empty connections
can overwhelm the system, causing a DoS.
This attribute records the land attack packets."
::= { jnxJsScreenMonEntry 8 }
jnxJsScreenMonIcmpFlood OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An ICMP flood typically occurs when ICMP echo requests overload
its victim with so many requests that it expends all its
resources responding until it can no longer process valid network
traffic. With the ICMP flood protection feature enabled, and a
threshold set. If the threshold exceeded, the system invokes the
flood attack protection feature.
The default threshold value is 1000 packets per second. If the
threshold is exceeded, the security device ignores further
ICMP echo requests for the remainder of that second plus the
next second as well.
This attribute records the ICMP flood attack packets."
::= { jnxJsScreenMonEntry 9 }
jnxJsScreenMonUdpFlood OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"UDP flooding occurs when an attacker sends IP packets containing
UDP datagrams with the purpose of slowing down the victim to the
point that it can no longer handle valid connections. With the
UDP flood protection feature enabled, a threshold can be set which
once exceeded, the system invokes the UDP flood attack protection
feature.
The default threshold value is 1000 packets per second.
If the number of UDP datagrams from one or more sources to a
single destination exceeds this threshold, security device
ignores further UDP datagrams to that destination for the
remainder of that second plus the next second as well.
This attribute records the UDP flood attack packets."
::= { jnxJsScreenMonEntry 10 }
jnxJsScreenMonWinnuke OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"WinNuke is a DoS attack targeting any computer on the internet
running Windows. The attacker sends a TCP segment, usually to
NetBIOS port 139 with the urgent (URG) flag set, to a host with
an established connection. This introduces a NetBIOS fragment
overlap, which causes many machines running Windows to crash.
This attributes counts the netbios attack."
::= { jnxJsScreenMonEntry 11 }
jnxJsScreenMonPortScan OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A port scan occurs when one source IP address sends IP packets
containing TCP SYN segments to a defined number of different
ports at the same destination IP address within a defined interval.
The purpose of this attack is to scan the available services in
the hope that at least one port will respond, thus identifying
a service of the target. The device should internally log the
number of different ports scanned from one remote source.
This attribute records the port scan attempt attack packets."
::= { jnxJsScreenMonEntry 12 }
jnxJsScreenMonIpSweep OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An address sweep occurs when one source IP address sends a
defined number of ICMP packets to different hosts within a
defined interval. The purpose of this attack is to send ICMP
packets, typically echo requests, to various hosts in the
hope that at least one replies, thus uncovering an address of
the target. The device internally log the number of ICMP packets
to different addresses from one remote source.
This attributes records the address sweep attemp attack packets."
::= { jnxJsScreenMonEntry 13 }
jnxJsScreenMonSynFrag OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"IP encapsulates a TCP SYN segment in the IP packet that initiates
a TCP connection. The purpose is to initiate a connection and to
invoke a SYN/ACK segment response. The SYN segment typically does
not contain any data since the IP packet is small and there is
no legitimate reason for it to be fragmented. A fragmented SYN
packet is anomalous and is suspectful. To be cautious, it might
be helpful to block such these fragments from entering the
protected network.
When the syn fragmentation check is enable, the security device
detects and drops the packets when the IP header indicates that
the packet has been fragmented while the SYN flag is set in the
TCP header.
This attributes records the detection of the SYN fragments."
::= { jnxJsScreenMonEntry 14 }
jnxJsScreenMonTcpNoFlag OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A normal TCP segment header has at least one flag control set.
A TCP segment with no control flags set is an anomalous event.
Operating systems respond to such anomalies in different ways.
The response, or even lack of response, from the targeted device
can provide a clue as to the target's OS type.
When this option is enabled, if the device discovers such a
header with a missing or malformed flags field, it drops the
packet.
The attribure records the detection of TCP without flag set packets."
::= { jnxJsScreenMonEntry 15 }
jnxJsScreenMonIpUnknownProt OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"According to RFC 1700, some protocol types in IP header are
reserved and unassigned at this time. Precisely because these
protocols are undefined, there is no way to know in advance
if a particular unknown protocol is benign or malicious. Unless
your network makes use of a non-standard protocol with reserved
or unassigned protocol number, a cautious stance is to block
such unknown elements from entering your protected network.
When the Unknown Protocol Protection SCREEN option is enabled,
the security device drops packets when the protocol field
contains a protocol ID number of 137 or greater by default.
This attribute records the detection of Unknown protocol
IP packets."
::= { jnxJsScreenMonEntry 16 }
jnxJsScreenMonIpOptBad OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"IP protocol specifies a set of eight options that provide
special routing controls, diagnostic tools, and security.
These eight options can be used for malicious objectives.
Either intentionally or accidentally, attackers sometimes
misconfigure IP options, producing either incomplete or
malformed fields. The misformatting is anomalous and
potentially harmful to the intended recipient.
When the Bad IP Option Protection SCREEN option is enabled,
the security device detects and blocks packets when any IP
option in the IP packet header is incorrectly formatted.
This attributes records the detection of the IP bad option
packets."
::= { jnxJsScreenMonEntry 17 }
jnxJsScreenMonIpOptRecRt OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IP standard RFC 791 specifies a set of options to provide
special routing controls, diagnostic tools, and security.
These options appear after the destination address in an IP packet
header. When they do appear, they are frequently being put to
some nefarious use. Record option is one of these options that an
attacker can use for reconnaissance or for some unknown but
suspicious purpose
When record IP option is received, the security device
flags this as an network reconnaissance attack and records
the event for the ingress interface.
This attribute records the detection of IP record option
packets."
::= { jnxJsScreenMonEntry 18 }
jnxJsScreenMonIpOptTimestamp OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IP standard RFC 791 specifies a set of options to provide
special routing controls, diagnostic tools, and security.
These options appear after the destination address in an IP packet
header. When they do appear, they are frequently being put to
some nefarious use. Timestamp is one of these options that an
attacker can use for reconnaissance or for some unknown but
suspicious purpose
When timestamp IP option is received, the security device
flags this as an network reconnaissance attack and records
the event for the ingress interface.
This attribute records the detection of IP timestamp option
packets."
::= { jnxJsScreenMonEntry 19 }
jnxJsScreenMonIpOptSecurity OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IP standard RFC 791 specifies a set of options to provide
special routing controls, diagnostic tools, and security.
These options appear after the destination address in an IP packet
header. When they do appear, they are frequently being put to
some nefarious use. Security is one of these options that an
attacker can use for reconnaissance or for some unknown but
suspicious purpose
When the security IP option is received, the security device
flags this as an network reconnaissance attack and records
the event for the ingress interface.
This attribute records the detection of IP security option
packets."
::= { jnxJsScreenMonEntry 20 }
jnxJsScreenMonIpOptLSR OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Attackers can use IP source route options to hide their true
address and access restricted areas of a network by specifying
a different path. The security device should be able to either
block any packets with loose or strict source route options
set or detect such packets and then record the event for the
ingress interface.
This attribute records the detection of loose source route
packets."
::= { jnxJsScreenMonEntry 21 }
jnxJsScreenMonIpOptSSR OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Attackers can use IP source route options to hide their true
address and access restricted areas of a network by specifying
a different path. The security device should be able to either
block any packets with loose or strict source route options
set or detect such packets and then record the event for the
ingress interface.
This attribute records the detection of strict source route
packets."
::= { jnxJsScreenMonEntry 22 }
jnxJsScreenMonIpOptStream OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IP standard RFC 791 specifies a set of options to provide
special routing controls, diagnostic tools, and security.
These options appear after the destination address in an IP packet
header. When they do appear, they are frequently being put to
some nefarious use. Stream is one of these options that an
attacker can use for reconnaissance or for some unknown but
suspicious purpose
When the security IP option is received, the security device
flags this as an network reconnaissance attack and records
the event for the ingress interface.
This attribute records the detect of IP stream option
packets."
::= { jnxJsScreenMonEntry 23 }
jnxJsScreenMonIcmpFrag OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"ICMP provides error reporting and network probe capabilities.
ICMP packets contain very short messages, there is no legitimate
reason for ICMP packets to be fragmented. If an ICMP packet is
so large that it must be fragmented, something has gone amiss.
With the ICMP Fragment Protection SCREEN option enabled, the device
should be able to block any ICMP packet with the More Fragments
flag set, or with an offset value indicated in the offset field.
This attribute counts the ICMP fragment packets."
::= { jnxJsScreenMonEntry 24 }
jnxJsScreenMonIcmpLarge OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"ICMP packets contain very short messages, there is no legitimate
reason for ICMP packets to be fragmented.
If an ICMP packet is unusually large, something is wrong. For example,
the Loki program uses ICMP as a channel for transmitting covert
messages. The presence of large ICMP packets might expose a
compromised machine acting as a Loki agent. It might also indicate
some other kind of shifty activity.
When the the Large Size ICMP Packet Protection SCREEN option is enabled,
the device drops ICMP packets with a length greater than 1024 bytes.
This attribute records the detection of large ICMP packets."
::= { jnxJsScreenMonEntry 25 }
jnxJsScreenMonTcpSynFin OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Both the SYN and FIN control flags are not normally set in the
same TCP segment header. The SYN flag synchronizes sequence
numbers to initiate a TCP connection. The FIN flag indicates
the end of data transmission to finish a TCP connection. Their
purposes are mutually exclusive. A TCP header with the SYN and
FIN flags set is anomalous TCP behavior, causing various
responses from the recipient, depending on the OS.
When block both syn and fin option is enable, the device
drops the packet when it discovers such a header
This attribute records the TCP syn fin both set packet
dropped."
::= { jnxJsScreenMonEntry 26 }
jnxJsScreenMonTcpFinNoAck OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A FIN scan sends TCP segments with the FIN flag set in an
attempt to provoke a response and thereby discover an active
host or an active port on a host. The use of TCP segments
with the FIN flag set might evade detection and thereby help
the attacker succeed in his or her reconnaissance efforts.
This attributes records the detection of the TCP fin set
without ack bit set packets."
::= { jnxJsScreenMonEntry 27 }
jnxJsScreenMonLimitSessSrc OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"All the virus-generated traffic originates from the same IP
address (generally from a infected server), a source-based
session limit ensures that the firewall can curb such
excessive amounts of traffic. Based on a threshold value,
if the number of concurrent sessions required to fill up
the session table of the particular firewall.
The default maximum for source-based session limit is 128
concurrent sessions, which can be adjusted to accordingly.
This attribute records the number of the session connection
based on the source IP that exceeds the specified limit."
::= { jnxJsScreenMonEntry 28 }
jnxJsScreenMonLimitSessDest OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The user can limit the number of concurrent sessions
to the same destination IP address. A wily attacker can
launch a distributed denial-of-service (DDoS) attack using
'zombie agents'. Setting a destination-based session limit
can ensure that device allows only an acceptable number of
concurrent connection requests, no matter what the source,
to reach any one host.
The default maximum for destination-based session limit is
128 concurrent sessions.
This attribute records the number of session connection based
on the destination source IP address that exceeds the specified
limit."
::= { jnxJsScreenMonEntry 29 }
jnxJsScreenMonSynAckAck OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When an authentication user initiates a Telnet or FTP connection,
the user sends a SYN segment to the Telnet or FTP server. The
device intercepts the SYN segment, creates an entry in its
session table, and proxies a SYN-ACK segment to the user. The
user then replies with an ACK segment. At that point, the initial
3-way handshake is complete. The device sends a login prompt to
the user. When a malicisou user does not log in, but instead
continue initiating SYN-ACK-ACK sessions, the firewall session
table can fill up to the point where the device begins rejecting
legitimate connection requests.
When the SYN-ACK-ACK proxy protection option is enabled, after
the number of connections from the same IP address reaches the
SYN-ACK-ACK proxy threshold, the device rejects further
connection requests from that IP address. By default, the
threshold is 512 connections from any single IP address.
The attribute records the detection of SYN ACK ACK attack."
::= { jnxJsScreenMonEntry 30 }
jnxJsScreenMonIpFrag OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"As packets travels, it is sometimes necessary to break a packet
into smaller fragments based upon the maximum transmission unit
(MTU) of each network. IP fragments might contain an attacker's
attempt to exploit the vulnerabilities in the packet reassembly
code of specific IP stack implementations. When the victim
receives these packets, the results can range from processing
the packets incorrectly to crashing the entire system.
When the block IP framentation flag is enabled, the device blocks
all IP packet fragments that it receives at interfaces bound to
that zone.
This attribute counts the number of block IP fragment packets."
::= { jnxJsScreenMonEntry 31 }
--
-- Threshold values
--
jnxJsScreenSynAttackThresh OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of SYN segments to the same destination address
and port number per second required to activate the SYN proxying
mechanism. In order to set the appropriate threshold value, it
requires a through knowledge of the normal traffic patterns at site
For example, if the security device normally gets 2000 SYN
segments per second, the threshold value should be set at
3000/second.
This attribute displays the configured SYN attack threshold value."
::= { jnxJsScreenMonEntry 32 }
jnxJsScreenSynAttackTimeout OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum length of time before a half-completed connection is
dropped from the queue. The default is 20 seconds.
This attributes display the SYN attack timeout value."
::= { jnxJsScreenMonEntry 33 }
jnxJsScreenSynAttackAlmTh OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The syn attack alarm threshold causes an alarm to be generated when
the number of proxied, half-complete TCP connection requests per
second requests to the same destination address and port number
exceeds its value.
This attribute display the SYN attack alarm threshold value."
::= { jnxJsScreenMonEntry 34 }
jnxJsScreenSynAttackQueSize OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS deprecated
DESCRIPTION
"The number of proxied connection requests held in the proxied
connection queue before the device starts rejecting new connection
requests.
This attribute displays the SYN attack queue size.
This object has been deprecated."
::= { jnxJsScreenMonEntry 35 }
jnxJsScreenSynAttackAgeTime OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS deprecated
DESCRIPTION
"SYN flood age time.
This object has been deprecated."
::= { jnxJsScreenMonEntry 36 }
jnxJsScreenIcmpFloodThresh OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"ICMP flooding occurs when an attacker sends IP packets containing
ICMP datagrams with the purpose of slowing down the victim to the
point that it can no longer handle valid connections.
This attributes display the ICMP attack alarm threshold value."
::= { jnxJsScreenMonEntry 37 }
jnxJsScreenUdpFloodThresh OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"UDP flooding occurs when an attacker sends IP packets containing
UDP datagrams with the purpose of slowing down the victim to the
point that it can no longer handle valid connections.
The default threshold value is 1000 packets per second.
This attribute displays the UDP attack alarm threshold value."
::= { jnxJsScreenMonEntry 38 }
jnxJsScreenPortScanThresh OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The port scan threshold interval is in microseconds. The default
threshold value is 5000. The valid threshold range is 1000-1000000.
By using the default settings, if a remote host scans 10 ports in
0.005 seconds (5000 microseconds), the device flags this as a
port scan attack, and rejects all further packets from the remote
source for the remainder of the specified timeout period. The
device detects and drops the tenth packet that meets the port scan
attack criterion.
This attribute displays the port scan threshold value."
::= { jnxJsScreenMonEntry 39 }
jnxJsScreenIpSweepThresh OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IP sweep threshold interval is in microseconds. The default
threshold value is 5000. The valid threshold range is 1000-1000000.
By using the default settings, if a remote host sends ICMP traffic
to 10 addresses in 0.005 seconds (5000 microseconds), the
security device flags this as an address sweep attack, and
rejects all further ICMP echo requests from that host for
the remainder of the specified threshold time period. The
device detects and drops the tenth packet that meets the address
sweep attack criterion.
This attribute holds the UDP attack alarm threshold."
::= { jnxJsScreenMonEntry 40 }
jnxJsScreenSynAckAckThres OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"SYN ack ack alarm threshold value."
::= { jnxJsScreenMonEntry 41 }
jnxJsScreenMonIpv6ExtHdr OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"In one IPv6 packet, one or more extension headers may appear before
the encapsulated payload after the mandatory header. User can screen
any one or several extension headers.
When the extension header screen is enabled, the device screens all
IPv6 packets with specific header.
The attribute counts the number of block IPv6 extension packets."
::= { jnxJsScreenMonEntry 42 }
jnxJsScreenMonIpv6HopOpt OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"In one IPv6 hop by hop option extension header, it carries a variable
number options. User can screen any one or several options.
When the hop by hop option screen is enabled, the device screens all
IPv6 packets with specific option type.
The attribute counts the number of block IPv6 option type packets."
::= { jnxJsScreenMonEntry 43 }
jnxJsScreenMonIpv6DstOpt OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"In one IPv6 destination option extension header, it carries a variable
number options. User can screen any one or several options.
When the destination option screen is enabled, the device screens all
IPv6 packets with specific option type.
The attribute counts the number of block IPv6 option type packets."
::= { jnxJsScreenMonEntry 44 }
jnxJsScreenMonIpv6ExtLimit OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"In one IPv6 packet, one or more extension headers may appear before
the encapsulated payload. User can screen IPv6 packets if their extension
header number is larger than one limit.
When the extension header limit screen is enabled, the device screens
IPv6 packets with more than one limit extension headers.
The attribute counts the number of block IPv6 packets."
::= { jnxJsScreenMonEntry 45 }
jnxJsScreenMonIpMalIpv6 OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"One IPv6 packets may contain malformed header, the device tries to block
these packets to protect downstream devices.
When the malformed IPv6 screen is enabled, the device screens IPv6 packets
with malformed header.
The attribute counts the number of block malformed header IPv6 packets."
::= { jnxJsScreenMonEntry 46 }
jnxJsScreenMonIcmpMalIcmpv6 OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"One ICMPv6 packets may contain malformed content, the device tries to block
these packets to protect downstream devices.
When the malformed ICMPv6 screen is enabled, the device screens ICMPv6
packets with malformed content.
The attribute counts the number of block malformed ICMPv6 packets."
::= { jnxJsScreenMonEntry 47 }
jnxJsScreenIpv6ExtNumLim OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"IPv6 extension header number limit value."
::= { jnxJsScreenMonEntry 48 }
--
-- Other Screen values
--
jnxJsScreenUdpPortScanThresh OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The UDP port scan threshold interval is in microseconds. The default
threshold value is 5000. The valid threshold range is 1000-1000000.
By using the default settings, if a remote host scans 10 ports in
0.005 seconds (5000 microseconds), the device flags this as a
udp port scan attack, and rejects all further packets from the remote
source for the remainder of the specified timeout period. The
device detects and drops the tenth packet that meets the port scan
attack criterion.
This attribute displays the UDP port scan threshold value."
::= { jnxJsScreenMonEntry 49 }
jnxJsScreenMonUdpPortScan OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A UDP port scan occurs when one source IP address sends UDP packets
to a defined number of different ports at the same destination
IP address within a defined interval. The purpose of this attack
is to scan the available services in the hope that at least one
port will respond, thus identifying a service of the target.
The device should internally log the number of different ports
scanned from one remote source.
This attribute records the UDP port scan attempt attack packets."
::= { jnxJsScreenMonEntry 50 }
jnxJsScreenMonIpTunnelGre6in4 OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When an IP GRE 6in4 Tunnel packet meets the attack criteria
specified by current configuration, it will be counted in this
statisitic.
This attribute records the IP GRE 6in4 Tunnel attempt attack packets."
::= { jnxJsScreenMonEntry 51 }
jnxJsScreenMonIpTunnelGre4in6 OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When an IP GRE 4in6 Tunnel packet meets the attack criteria
specified by current configuration, it will be counted in this
statisitic.
This attribute records the IP GRE 4in6 Tunnel attempt attack packets."
::= { jnxJsScreenMonEntry 52 }
jnxJsScreenMonIpTunnelGre6in6 OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When an IP GRE 6in6 Tunnel packet meets the attack criteria
specified by current configuration, it will be counted in this
statisitic.
This attribute records the IP GRE 6in6 Tunnel attempt attack packets."
::= { jnxJsScreenMonEntry 53 }
jnxJsScreenMonIpTunnelGre4in4 OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When an IP GRE 4in4 Tunnel packet meets the attack criteria
specified by current configuration, it will be counted in this
statisitic.
This attribute records the IP GRE 4in4 Tunnel attempt attack packets."
::= { jnxJsScreenMonEntry 54 }
jnxJsScreenMonIpTunnelIpInUdpTeredo OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When an IPinUDP Teredo Tunnel packet meets the attack criteria
specified by current configuration, it will be counted in this
statisitic.
This attribute records the IPinUDP Teredo Tunnel attempt attack packets."
::= { jnxJsScreenMonEntry 55 }
jnxJsScreenMonIpTunnelBadInnerHeader OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When an IP Tunnel Bad Inner Header packet meets the attack criteria
specified by current configuration, it will be counted in this
statisitic.
This attribute records the IP Tunnel Bad Inner Header attempt attack packets."
::= { jnxJsScreenMonEntry 56 }
jnxJsScreenMonIpTunnelIpIp6to4relay OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When an IP Tunnel IPinIP 6to4 relay packet meets the attack criteria
specified by current configuration, it will be counted in this
statisitic.
This attribute records the IP Tunnel IPinIP 6to4 relay attempt attack packets."
::= { jnxJsScreenMonEntry 57 }
jnxJsScreenMonIpTunnelIpIp6in4 OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When an IP Tunnel IPinIP 6in4 packet meets the attack criteria
specified by current configuration, it will be counted in this
statisitic.
This attribute records the IP Tunnel IPinIP 6in4 attempt attack packets."
::= { jnxJsScreenMonEntry 58 }
jnxJsScreenMonIpTunnelIpIp6over4 OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When an IP Tunnel IPinIP 6over4 packet meets the attack criteria
specified by current configuration, it will be counted in this
statisitic.
This attribute records the IP Tunnel IPinIP 6over4 attempt attack packets."
::= { jnxJsScreenMonEntry 59 }
jnxJsScreenMonIpTunnelIpIp4in6 OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When an IP Tunnel IPinIP 4in6 packet meets the attack criteria
specified by current configuration, it will be counted in this
statisitic.
This attribute records the IP Tunnel IPinIP 4in6 attempt attack packets."
::= { jnxJsScreenMonEntry 60 }
jnxJsScreenMonIpTunnelIpIp4in4 OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When an IP Tunnel IPinIP 4in4 packet meets the attack criteria
specified by current configuration, it will be counted in this
statisitic.
This attribute records the IP Tunnel IPinIP 4in4 attempt attack packets."
::= { jnxJsScreenMonEntry 61 }
jnxJsScreenMonIpTunnelIpIp6in6 OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When an IP Tunnel IPinIP 6in6 packet meets the attack criteria
specified by current configuration, it will be counted in this
statisitic.
This attribute records the IP Tunnel IPinIP 6in6 attempt attack packets."
::= { jnxJsScreenMonEntry 62 }
jnxJsScreenMonIpTunnelIpIpIsatap OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When an IP Tunnel IPinIP ISATAP packet meets the attack criteria
specified by current configuration, it will be counted in this
statisitic.
This attribute records the IP Tunnel IPinIP ISATAP attempt attack packets."
::= { jnxJsScreenMonEntry 63 }
jnxJsScreenMonIpTunnelIpIpDsLite OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When an IP Tunnel IPinIP DS-Lite packet meets the attack criteria
specified by current configuration, it will be counted in this
statisitic.
This attribute records the IP Tunnel IPinIP DS-Lite attempt attack packets."
::= { jnxJsScreenMonEntry 64 }
--
-- Additional Syn Flood, Session Limit thresholds and counters
--
jnxJsScreenMonThreshTable OBJECT-TYPE
SYNTAX SEQUENCE OF JnxJsScreenMonThreshEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table is a read-only table that augments the
jnxJsScreenMonTable. The purpose of this table is
to keep threshold and counter information about
Syn Flood and Session Limit."
::= { jnxJsScreenObjects 2 }
jnxJsScreenMonThreshEntry OBJECT-TYPE
SYNTAX JnxJsScreenMonThreshEntry
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Syn Flood and Session Limit thresholds and counts."
AUGMENTS { jnxJsScreenMonEntry }
::= { jnxJsScreenMonThreshTable 1 }
JnxJsScreenMonThreshEntry ::= SEQUENCE
{
jnxJsScreenSynFloodSrcThresh Integer32,
jnxJsScreenSynFloodDstThresh Integer32,
jnxJsScreenSessLimitSrcThresh Integer32,
jnxJsScreenSessLimitDstThresh Integer32,
jnxJsScreenMonSynFloodSrc Counter64,
jnxJsScreenMonSynFloodDst Counter64
}
jnxJsScreenSynFloodSrcThresh OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of SYN segments received per second from a single
source IP - regardless of the destination IP address and
port number - before the security device begins dropping
connection requests from that source."
::= { jnxJsScreenMonThreshEntry 1 }
jnxJsScreenSynFloodDstThresh OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of SYN segments received per second from a single
destination IP address before the security device begins dropping
connection requests to that destination. If a protected host runs
multiple services, you might want to set a threshold based on
destination IP address only - regardless of the destination
port number."
::= { jnxJsScreenMonThreshEntry 2 }
jnxJsScreenSessLimitSrcThresh OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The security device can impose a limit on the number of SYN segments
permitted from a single source IP address."
::= { jnxJsScreenMonThreshEntry 3 }
jnxJsScreenSessLimitDstThresh OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The security device can impose a limit on the number of SYN segments
permitted to a single destination IP address."
::= { jnxJsScreenMonThreshEntry 4 }
jnxJsScreenMonSynFloodSrc OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of concurrent sessions from the same source IP address."
::= { jnxJsScreenMonThreshEntry 5 }
jnxJsScreenMonSynFloodDst OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of concurrent sessions to the same destination IP address."
::= { jnxJsScreenMonThreshEntry 6 }
--
-- This table is for TCP/UDP sweep thresholds and counters
--
jnxJsScreenSweepTable OBJECT-TYPE
SYNTAX SEQUENCE OF JnxJsScreenSweepEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table is a read-only table that augments the
jnxJsScreenMonTable. The purpose of this table is
to add counters and thresholds for TCP/UDP sweep
feature."
::= { jnxJsScreenObjects 3 }
jnxJsScreenSweepEntry OBJECT-TYPE
SYNTAX JnxJsScreenSweepEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"TCP/UDP sweep thresholds and counters."
AUGMENTS { jnxJsScreenMonEntry }
::= { jnxJsScreenSweepTable 1 }
JnxJsScreenSweepEntry ::= SEQUENCE
{
jnxJsScreenTcpSweepThresh Integer32,
jnxJsScreenUdpSweepThresh Integer32,
jnxJsScreenMonTcpSweep Counter64,
jnxJsScreenMonUdpSweep Counter64
}
jnxJsScreenTcpSweepThresh OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The TCP sweep threshold interval is in microseconds. The
default threshold value is 5000. The valid threshold range
is 1000-1000000.
By using the default settings, if a remote host initiates TCP
connection to 10 addresses in 0.005 seconds(5000 microseconds),
the security device flags this as an TCP sweep attack, and
rejects all further new TCP connections initiated from that
host for the remainder of the specified threshold time period.
This attribute holds the TCP sweep attack threshold."
::= { jnxJsScreenSweepEntry 1 }
jnxJsScreenUdpSweepThresh OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The UDP sweep threshold interval is in microseconds. The
default threshold value is 5000. The valid threshold range is
1000-1000000.
By using the default settings, if a remote host has UDP
connection to 10 addresses in 0.005 seconds(5000 microseconds),
the security device flags this as an UDP sweep attack, and
rejects all further new UDP connections from that host for
the remainder of the specified threshold time period.
This attribute holds the UDP sweep attack threshold."
::= { jnxJsScreenSweepEntry 2 }
jnxJsScreenMonTcpSweep OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of TCP sessions dropped due to TCP sweeping attack."
::= { jnxJsScreenSweepEntry 3 }
jnxJsScreenMonUdpSweep OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of UDP packets dropped due to UDP sweeping attack."
::= { jnxJsScreenSweepEntry 4 }
-- ***************************************************************
-- definition of access authentication related traps.
-- ***************************************************************
--
-- When the device detects an attack, based on configured value,
-- an attack trap is generated.
--
jnxJsScreenAttack NOTIFICATION-TYPE
OBJECTS { jnxJsScreenZoneName,
ifName,
jnxJsScreenAttackType,
jnxJsScreenAttackCounter,
jnxJsScreenAttackDescr
}
STATUS current
DESCRIPTION
"A per min bytes exceed trap signifies that the number of
bytes per minutes has exceeds the specified threshold.
jnxJsScreenZoneName: the zone name under which the attack
is occuring.
ifName the interface at which the attack is occuring.
jnxJsScreenAttackType: type of attack.
jnxJsScreenAttackCounter: the number of attacks recorded
based on the particular screening options enabled. The
value of this counter is the aggregated statistic of all
the interfaces bound to the mentioned zone.
jnxJsScreenAttackDescr: a general text description of the
this attack or the trap."
::= { jnxJsScreenNotifications 1 }
--
-- The trap indicates an screen option is changed.
--
jnxJsScreenCfgChange NOTIFICATION-TYPE
OBJECTS { jnxJsScreenZoneName,
jnxJsScreenAttackType,
jnxJsScreenCfgStatus }
STATUS current
DESCRIPTION
"The screening configuration change trap signifies that
an screening option has been changed(enabled or disabled).
A disable feature may implies a security hole.
jnxJsScreenZoneName is the zone at which the changed option
is applicable to.
jnxJsScreenAttackType the screen feature.
jnxJsScreenCfgStatus: either enabled or disabled"
::= { jnxJsScreenNotifications 2 }
-- **************************************************************
-- Trap variables
-- **************************************************************
jnxJsScreenAttackType OBJECT-TYPE
SYNTAX INTEGER {
icmpFlood (1),
udpFlood (2),
portScanning (3),
ipSweeping (4),
synfloodSrcIP (5),
synfloodDstIP (6),
sessLimitSrcBased (7),
sessLimitDestBased (8),
synAckAck (9),
synAttack (10),
winNuke (11),
tearDrop (12),
ipAddressSpoof (13),
pingDeath (14),
sourceRoute (15),
landAttack (16),
synFragmentation (17),
tcpNoFlag (18),
ipUnknownProtocol (19),
ipOptionBad (20),
ipOptionRecRt (21),
ipOptionTimeStamp (22),
ipOptionSecurity (23),
ipOptionLSR (24),
ipOptionSRR (25),
ipOptionStream (26),
icmpFragmentation (27),
icmpLarge (28),
tcpSynFin (29),
tcpFinNoAck (30),
ipFragmentation (31),
tcpSweeping (32),
udpSweeping (33),
ipv6exthdr (34),
ipv6hbyhopt (35),
ipv6dstopt (36),
ipv6extlim (37),
ipv6malhdr (38),
icmpv6malpkt (39),
udpportScanning (40),
ipTunnelGre6in4 (41),
ipTunnelGre4in6 (42),
ipTunnelGre6in6 (43),
ipTunnelGre4in4 (44),
ipTunnelIpInUdpTeredo (45),
ipTunnelBadInnerHeader (46),
ipTunnelIpIp6to4relay (47),
ipTunnelIpIp6in4 (48),
ipTunnelIpIp6over4 (49),
ipTunnelIpIp4in6 (50),
ipTunnelIpIp4in4 (51),
ipTunnelIpIp6in6 (52),
ipTunnelIpIpIsatap (53),
ipTunnelIpIpDsLite (54)
}
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The type of attacks that the device support."
::= { jnxJsScreenTrapVars 1 }
jnxJsScreenAttackCounter OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The threshold value that triggers the trap to be generated."
::= { jnxJsScreenTrapVars 2 }
jnxJsScreenAttackDescr OBJECT-TYPE
SYNTAX DisplayString (SIZE(1..255))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The description pertinent to the attack trap."
::= { jnxJsScreenTrapVars 3 }
jnxJsScreenCfgStatus OBJECT-TYPE
SYNTAX INTEGER {
disabled (1),
enabled (2)
}
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The screening option configuration status: enabled or disabled."
::= { jnxJsScreenTrapVars 4 }
--
-- End of File
--
END
|
