F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Attack Protection Configuration Guide-6PW100
33
Attack t
yp
e Descri
p
tion
ICMP Unreachable
Upon receiving an ICMP unreachable response, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the
destination. By sending ICMP unreachable packets, an ICMP unreachable attacker
can cut off the connection between the target host and the network.
Land
A Land attack occurs when an attacker sends a great number of TCP SYN packets with
both the source and destination IP addresses specified as the IP address of the target.
This exhausts the half-open resources of the victim, and disables the target from
working properly.
Large ICMP
For some hosts and devices, large ICMP packets cause a memory allocation error and
crash down the protocol stack. A large ICMP attacker sends large ICMP packets to a
target to make it crash down.
Route Record
A route record attack exploits the route record option in the IP header to probe the
topology of a network.
Scan
A scanning attack probes the addresses and ports on a network to identify the hosts
attached to the network and the application ports available on the hosts. Then, it
figures out the topology of the network, enabling it to prepare for further attacks.
Source Route
A source route attack exploits the source route option in the IP header to probe the
topology of a network.
Smurf
A Smurf attacker sends large quantities of ICMP echo requests to the broadcast
address or the network address of the target network. As a result, all hosts on the target
network will reply to the requests. This causes network congestions, and hosts on the
target network cannot provide services.
TCP Flag
Some TCP flags are processed differently on different operating systems. A TCP flag
attacker sends TCP packets with such TCP flags to a target to probe its operating
system. If the operating system cannot process such packets properly, the attacker will
successfully make the host crash down.
Tracert
The Tracert program usually sends UDP packets with a large destination port number
and an increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when the
packet passes each router. When a router gets a packet with a TTL of 0, the router must
send an ICMP time exceeded message back to the source IP address of the packet. A
Tracert attacker exploits the Tracert program to figure out the network topology.
WinNuke
A WinNuke attacker sends out-of-band data with the pointer field values overlapped to
the NetBIOS port (139) of a Windows system with an established connection to
introduce a NetBIOS fragment overlap. This causes the system to crash.
SYN Flood
A SYN flood attack exploits TCP SYN packets. Due to resource limitation, the number
of TCP connections that can be created on a device is limited. A SYN flood attacker
sends a barrage of spurious SYN packets to a victim to initiate TCP connections. As the
SYN_ACK packets that the victim sends in response can never get acknowledgments,
large amounts of half-open connections are created and retained on the victim. This
makes the victim inaccessible before the number of half-open connections drops to a
reasonable level due to timeout of half-open connections. In this way, a SYN flood
attack exhausts system resources such as memory on a system whose implementation
does not limit creation of connections.
ICMP Flood
An ICMP flood attack overwhelms the victim with an enormous number of ICMP echo
requests (such as ping packets) in a short period. This prevents the victim from
providing normal services.
UDP Flood
A UDP flood attack overwhelms the victim with an enormous number of UDP packets in
a short period. This disables the victim from providing normal services.