Manualshelf

Quick Reference Guide

ManualsBrandsDell ManualsComputer equipmentPowerConnect B-TI24x
1031103210331034103510361037103810391040
PowerConnect B-Series TI24X Configuration Guide 1005
53-1002269-02
Chapter
31
Protecting Against Denial of Service Attacks
Protecting against Smurf attacks
This chapter explains how to protect your devices from Denial of Service (DoS) attacks.
In a Denial of Service (DoS) attack, a router is flooded with useless packets, hindering normal
operation. Devices include measures for defending against two types of DoS attacks Smurf attacks
and TCP SYN attacks.
A Smurf attack is a kind of DoS attack where an attacker causes a victim to be flooded with ICMP
echo (Ping) replies sent from another network. Figure 128 illustrates how a Smurf attack works.
FIGURE 128 How a Smurf attack floods a victim with ICMP replies
The attacker sends an ICMP echo request packet to the broadcast address of an intermediary
network. The ICMP echo request packet contains the spoofed address of a victim network as its
source. When the ICMP echo request reaches the intermediary network, it is converted to a Layer 2
broadcast and sent to the hosts on the intermediary network. The hosts on the intermediary
network then send ICMP replies to the victim network.
For each ICMP echo request packet sent by the attacker, a number of ICMP replies equal to the
number of hosts on the intermediary network are sent to the victim. If the attacker generates a
large volume of ICMP echo request packets, and the intermediary network contains a large number
of hosts, the victim can be overwhelmed with ICMP replies.
Avoiding being an intermediary in a Smurf attack
A Smurf attack relies on the intermediary to broadcast ICMP echo request packets to hosts on a
target subnet. When the ICMP echo request packet arrives at the target subnet, it is converted to a
Layer 2 broadcast and sent to the connected hosts. This conversion takes place only when
directed broadcast forwarding is enabled on the device.
2
1
3
Attacker
Intermediary
Victim
Attacker sends ICMP echo requests to
broadcast address on Intermediary’s
network, spoofing Victim’s IP address
as the source
If Intermediary has directed broadcast
forwarding enabled, ICPM echo requests
are broadcast to hosts on Intermediary’s
network
The hosts on Intermediary’s network
send replies to Victim, inundating Victim
with ICPM packets