- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

381

382

383

384

385

386

387

388

389

390

Features

XSR User’s Guide 16-3

Smurf Attack

A “smurf” attack involves an attacker sending ICMP echo requests from a falsified source (a

spoofed address) to a directed broadcast address, causing all hosts on the target subnet to reply to

the falsified source. By sending a continuous stream of such requests, the attacker can create a

much larger stream of replies, inundating the host whose address is being falsified.

The XSR protects against smurf attacks by turning off directed broadcast and turning on check-

spoofing. Refer to “Configuring IP” on page 5-1 and the XSR CLI Reference Guide for more

information on IP directed broadcast.

Fraggle Attack

A “fraggle” attack involves a UDP Echo-directed broadcast. It is similar to a smurf attack but

differs in that it uses UDP instead of ICMP packets.

The XSR protects against a fraggle attack by turning off directed broadcast and turning on check-

spoofing. Refer to “Configuring IP” on page 5-1.

IP Packet with Multicast/Broadcast Source Address

This type of attack involves an illegal IP packet. Because XSR interfaces are programmed to

discard these packets, no user configuration is necessary.

Spoofed Address Check

This feature allows spoofing of IP source addresses by checking the source address of a packet

against the routing table to ensure the return path of the packet is through the interface it was

received on.

SYN Flood Attack Mitigation

Also known as a Denial of Service (DoS) attack, this involves a hacker flooding a server with a

barrage of requests for access to unreachable return addresses. Since the return addresses are

unreachable, the connections cannot be built and the ensuing volume of unresolved open

connections eventually overwhelms the server, causing service denial to valid requests. A SYN

flood attack against the XSR is defended by the router not checking transit packets.

This feature is always enabled, and the maximum number of TCP sessions allowed is set at run

time, depending on the number of TCP applications running, and the maximum number of

sessions each of them could have. Any connection attempt above this number is denied.

Fragmented and Large ICMP Packets

The XSR offers these features to filter ICMP traffic based on IP data length, IP offset, and IP

fragmentation bits. They apply to packets destined for the XSR. Transit packets will not be

checked.

Fragmented ICMP Traffic

This protection is triggered for ICMP packets with the “more fragments” flag set to 1, or an offset

indicated in the offset field. Such packets are dropped by the XSR if the protection is enabled with

the

HostDoS command.