Rejects IP packets with an explicit source route.
Detects denial-of-service attacks by stack loop by detecting packets with identical sender and destination addresses.
Monitoring the status of each connection and the response times means we can detect the number of inbound connections that are never resolved and create an increase in status controls until exceeding certain limits, thereby creating a SYN flood. In this case new connections are denied. Although it is possible that we might deny legitimate new connections, at least the integrity of those already established and outbound connections is protected.
Rejects UDP streams to a specific port if the number of UDP packets exceeds a preconfigured threshold in a specific time period.
Port scanning detector for TCP ports, i.e. it detects if a host tries to connect to several ports in a specific time period. It blocks the attack preventing replies to the suspicious host. In addition, it filters the replies so the sender doesn't even get closed port replies.
Detects TCP packets with invalid flag combinations. It acts as a complement to the protection against “Port Scanning” by blocking attacks of this type such as "SYN&FIN" and "NULL FLAGS"; and also complements the protection against “OS fingerprinting” attacks as many of these are based on replies to invalid TCP packets.
IP: Rejects inbound packets with an IP header length that exceeds a specific limit.
TCP: Rejects inbound packets with a TCP header length that exceeds a specific limit.
Fragmentation control: Checks the status of packet fragments to be reassembled at the destination, protecting the system against memory overflow attacks due to missing fragments, ICMP redirects masked as UDP and computer scanning.
Protects the system against UDP port scanning attacks.
Rejects WINS replies that do not correspond to requests sent by the administrator.
Rejects DNS replies that do not correspond to requests sent by the administrator.
Rejects DHCP replies that do not correspond to requests sent by the administrator.
Rejects ARP replies that do not correspond to requests sent by the administrator.
This filter performs various checks.
Small PMTU: By inspecting ICMP packets, the solution detects invalid MTU values used to generate denial of service or slow down outbound traffic.
SMURF: Rejects unsolicited ICMP replies if they exceed a certain threshold in a specific time period.
Drop unsolicited ICMP replies: Rejects all unsolicited ICMP replies and ICMP replies that have expired due to timeout.
Rejects incoming pings.
Falsifies data in replies to the sender to trick operating system detectors. This protection complements the TCP Flags Check.