R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

391

392

393

394

395

396

397

398

399

400

Sin

le-

acket attac

Descri

tion

Large ICMP

For some hosts and devices, large ICMP packets cause memory allocation error and

thus crash down the protocol stack. A large ICMP attacker sends large ICMP packets

to a target to make it crash down.

Route Record

An attacker exploits the route record option in the IP header to probe the topology of

a network.

Smurf

An attacker sends an ICMP echo request to the broadcast address of the target

network. As a result, all hosts on the target network reply to the request, causing the

network congested and hosts on the target network unable to provide services.

Source Route

An attacker exploits the source route option in the IP header to probe the topology of

a network.

TCP Flag

Some TCP flags are processed differently on different operating systems. A TCP flag

attacker sends TCP packets with such TCP flags to a target host to probe its operating

system. If the operating system cannot process such packets correctly, the attacker

successfully makes the host crash down.

Tracert

An attacker exploits the Tracert program to probe the network topology.

The Tracert program sends batches of UDP packets with a large destination port

number and an increasing TTL (starting from 1). The TTL of a packet is decreased by

1 when the packet passes each router. Upon receiving a packet with a TTL of 0, a

router must send an ICMP time exceeded message back to the source IP address of the

packet. The Tracert program uses these returning packets to figure out the hosts that

the packets have traversed from the source to the destination.

WinNuke

An attacker sends Out-of-Band (OOB) data with the pointer field values overlapped to

the NetBIOS port (139) of a Windows system with an established connection to

introduce a NetBIOS fragment overlap, causing the system to crash.

Scanning attack

An attacker uses some scanning tools to scan host addresses and ports in a network, so as to find

possible targets and the services enabled on the targets and figure out the network topology, preparing

for further attacks to the target hosts.

Flood attack

An attacker sends a large number of forged requests to the targets in a short time, so that the target

systems is too busy to provide services for legal users, resulting in denial of services.

The device can effectively defend against three types of flood attacks:

• SYN flood attack

Because of the limited resources, the TCP/IP stack permits only a limited number of TCP

connections. An attacker sends a great quantity of SYN packets to a target server, using a forged

address as the source address. After receiving the SYN packets, the server replies with SYN ACK

packets. As the destination address of the SYN ACK packets is unreachable, the server can never

receive the expected ACK packets, and thus have to maintain large amounts of half-open

connections. In this way, the attacker exhausts the system resources of the server, making the

server unable to service normal clients.

• ICMP flood attack

An attacker sends a large number of ICMP requests to the target in a short time by, for example,

using the ping program, causing the target too busy to process normal services.

• UDP flood attack